Cybersecurity Risk is Regulator’s No. 1 Concern

Technology continues to progress at a rapid pace, which creates increased opportunities for banks to better meet their customers’ needs. Along with these opportunities in technological advances, significant increases in cybersecurity risks for banks and their customers are also occurring due to the amount and rapid pace of technological changes. New technology opens doors that become gateways for new risks, which means as a banker you need to take more precautions than ever before to stay ahead of the cybersecurity curve.

Cyber thieves and hackers target banks primarily for two reasons - obtaining confidential customer information that can then be used for identity theft purposes and for accessing systems that have the ability to move money. Rather than committing fraud with the stroke of a pen they are doing it with a few clicks of a mouse and a keyboard from anywhere in the world. While multi-billion dollar institutions have specialized teams and 24-hour-staffing dedicated to cybersecurity (JP Morgan Chase opened an office across from NSA headquarters in Ft. Meade, Maryland, to attract cyber security professionals), community banks don’t have the same level of resources as these institutions even though they are susceptible to the same risks.

Community banks have plenty of other issues to resolve every day. Anything that doesn’t seem so immediate can easily be pushed down the list. From a strictly local viewpoint, a banker might say, “We haven’t experienced any successful cybersecurity attacks, so we must be OK.” But regulators have a different vantage point - looking at what’s happening over a broader area. Regulators are worried that the frequency and sophistication of cybersecurity attacks are increasing dramatically, banks are taking fraud losses as a result and many community banks are not adequately prepared.

When Comptroller of the Currency Thomas Curry warned recently that cybersecurity is a bank’s most important risk, many bankers probably reacted with surprise. The emphasis on cybersecurity was different from what many bankers initially perceived it would be.

But in 2014, there were more than 42 million reported security incidents - over 117,000 per day, and almost 50 percent more than in 2013. The reported security incidents in 2014 were also almost 14 times the number occurring five years earlier in 2009. Many community banks are much more vulnerable to cyberattacks today than several years ago.

Examiners have made multiple statements this year that cybersecurity risk was the number one risk ahead of both interest rate and credit risk. The average cost of a security breach costing $236 per customer record. For a bank that had only 1,000 customer records compromised, it would equal a $236,000 cost to the bank. It’s no wonder examiners are advising that a bank’s board of directors take a direct role in managing this risk and ensuring that their bank is devoting the necessary resources to mitigate this type of fraud.

It’s clear in most cases that a bank’s major business risks must be supervised and monitored at the board level. Establishing and monitoring the bank’s Loan Policy (controlling lending risk) is an example. The Asset-Liability Management Policy (controlling interest-rate risk) is another example. Similarly, a bank’s cyber risk has now become so important that it requires supervision and strategic decision making - at the board level - not by an IT officer.

On June 30, the FFIEC released a Cybersecurity Assessment Tool for bank boards to use internally to evaluate (1) the bank’s existing information security risks, (2) the “maturity level” of its existing information security protections and (3) whether the bank’s information security risks and security controls are appropriately balanced or not. This Assessment Tool shows management and the board what gaps may exist between the bank’s risk level and its security protections. (Gaps should be translated into an action plan approved by the board, which may include (1) reducing some elevated information security risk factors, (2) strengthening the bank’s information security controls in some areas or (3) a combination of both.)

Examiners will use the Assessment Tool at each IT exam and will compare results from one exam to the next to determine if a bank’s cybersecurity risks are increasing or decreasing. The Assessment Tool will also help regulators to measure how your bank’s level of cybersecurity risk compares with other banks across the country.

If you have not already done so, you need to complete the Cybersecurity Assessment Tool, explain the results to your board and consider what this means for your bank. For more information about keeping your bank ahead of the cybersecurity technology curve, please contact BankOnIT at 800-498-8877, or