FRB, OCC and FDIC Are Preparing New Mandatory Cybersecurity Standards; FDIC Announces New IT Risk Examination Program Effective July 1

The Federal Reserve is currently working with the OCC and FDIC to create new minimum cybersecurity standards that banks must comply with. According to Bloomberg News, the effort by the three agencies has not yet been made public; but the move arises from a concern “that as digital breaches become more frequent and aggressive, an attack could cripple the entire financial system.”

A recent article in The Boston Globe disclosed that hackers gained access to a community bank’s network, installing malware that was directed not at the bank itself but at the Federal Reserve’s payment systems. Threats such as these, combined with many community banks’ apparent skepticism that they are not big enough to be targeted by an attacker, is motivating regulators to create mandatory minimum cybersecurity standards for all banks.

Each of the agencies is now taking a more aggressive role on cybersecurity, with most Federal and State regulators publicly stating that cybersecurity risks are a bank’s number one risk, ahead of both credit and interest-rate risks.

The FDIC announced on July 1 that its IT examinations will now be conducted using a new 60-page examination form that the FDIC just released in its FIL-43-2016. The FDIC’s new Information Technology Risk Examination (InTREx) Program is designed for examiners to fill out electronically and is effective July 1, 2016.

Banks that have either the FRB or the OCC as primary Federal regulator would benefit from reviewing the FDIC’s newly-issued examination questions because there’s a strong possibility all three agencies’ IT exam programs will look a lot more alike than different after new mandatory cybersecurity standards are released. Reviewing the guidance will give all banks an opportunity to update procedures internally that otherwise could result in criticisms when examiners make their next visit.

Impact on your CAMELS rating

In past IT examinations, regulators’ questions may have been more general or open-ended. Now, FDIC examiners will be drilling deeper, asking more specifically focused questions. Examiners also will assign grades to the bank, question-by-question. On each question, the examiner can rate the bank as strong, satisfactory, less than satisfactory, deficient or critically deficient. In addition, the exam form allows examiners to add “comments” as part of each answer. Based on grades assigned to these separate questions, the FDIC will also be giving a bank overall and separate-component ratings at each IT exam. These will be included in the Risk Management Report of Examination and will impact your management rating in the CAMELS rating for your bank.

Need for more lengthy explanations in responding to exception items

Because the new exam form makes it easy for examiners to provide specific criticisms or “corrective suggestions” following each question; because exam questions will probe many specific points in more detail; and because the bank is separately graded for each question, there will also be a greater need for explaining exception items following future IT exams. You will need to know how to respond.

The InTREx form is divided into separate areas or components, each of which will be assigned a component rating — Audit, Management, Development and Acquisition, Support and Delivery, Information Security Standards, and Cybersecurity. The exam questions include such matters as appropriate content of the bank’s policies; adequate employee training and testing; cybersecurity risk awareness and mitigation; business continuity preparedness; selection and supervision of third-party vendors; staffing IT-related positions with qualified persons (IT Officer and IT committee members); adequate reporting and review within the bank of IT-related matters; and effectiveness of supervision and risk-control of IT by the bank’s board.

What to do before your next exam

1) Ensure your bank’s policies are up to date
All banks should be aware that regulatory changes over the past 12 months have created the need to update various bank technology policies. BankOnIT continually updates client bank technology policies to ensure they meet regulatory standards.

2) Make sure policies are being followed
Once policies are updated the bank needs to ensure that employee education is in place and that policies are being followed because they will be examined in more detail.

3) Review Critical Activities Vendors
The new exam form will also draw attention to improving vendor due diligence procedures and vendor management with respect to all “critical activities” service providers. The bank may not currently be receiving adequate systems reporting and due diligence information from its “critical activities” vendors.

4) Call BankOnIT
What strategy will your bank use to prepare for the new examinations? Will you be able to respond to these 60 pages of questions with your current staff? Call us, we’ll be happy to review what capabilities you currently have and compare that to what BankOnIT can provide you.

For more information, contact BankOnIT at 800-498-8877, option 2, or at