Thomas J. Curry, the Comptroller of the Currency, recently stated that “… cyber threats [are] perhaps the foremost risk facing banks today … [and] represents one of the major, if not the major, risk facing banks today.” (Thomas J. Curry, Remarks at New England Council (Jul. 24, 2015))
Comptroller Curry’s words ring true — banks and financial institutions are constantly targeted in cyber attacks, whether from a hacktivist, criminal hacker, or foreign state actor. Banks hold a great deal of personal information that is highly valued in criminal markets.
Banks are increasingly devoting more and more resources to face these threats. A cyber attack can cause significant monetary losses and reputational damage to a financial institution. But financial institutions also face another challenge — from their regulators — who are changing their approach to cybersecurity by emphasizing its importance and transforming it from an IT function to a board and senior management function of the highest importance.
From a risk perspective, a financial institution faces the challenges of keeping its data and its customer’s data protected from cyber attacks and hackers. The regulatory perspective is slightly different. Although it seems logical that proper cybersecurity measures and protocols should equal compliance (but compliance does not necessarily equal cybersecurity), it is not that simple, even though cybersecurity is essentially a safety and soundness issue. Rather, the regulators are not only looking at whether a bank has appropriate safeguards against a cyber attack, but also whether the bank is properly managing its vendors and maintaining adequate insurance coverage, as well as, most importantly, whether the board and senior management are embedding cybersecurity into the bank’s culture and compliance systems. Also, another layer of difficulty is that one size does not fit all given the range of banks in the United States, from a rural one-branch bank to a national bank with billions in assets.
For banks, the greatest and immediate regulatory challenges will be in the governance, third-party vendor management, and cyberinsurance arenas. They will also face challenges during the examination process, and will not only need to ensure that their data is protected from cyber attacks, but will also need to ensure that their cybersecurity policies are compliant from the regulators’ viewpoint.
Legal and Regulatory Standards
First, what are the legal and regulatory cybersecurity standards for banks? At its heart, bank cybersecurity is a safety and soundness issue governed by the Federal Deposit Insurance Act Section 39. Additionally, banks are also governed by Gramm-Leach-Bliley Act (GLBA) Section 501(b) (12 U.S.C. § 6801), which protects customer information. GLBA requires financial institutions and banks, among other things, to ensure the security and confidentiality of customer information and how they use and share personal information. However, there are several bills pending in Congress, such as the Cybersecurity Information Sharing Act (CISA), that would facilitate the sharing of information between banks and law enforcement to prevent cyber attacks.
Under the federal banking regulations, the Federal Financial Institution Examination Council (FFIEC), an intra-agency group comprised of the federal banking regulators (e.g., FDIC, OCC, the Federal Reserve, and NCUA), is responsible for conducting IT examinations and operational and information security risks. The FFIEC is constantly issuing guidelines and releasing information about cyber attacks and cybersecurity. Some of the more recent and relevant actions by the FFIEC include announcing and conducting a cybersecurity assessment pilot examination program for community banks and the Cybersecurity Assessment Tool, which was released in June of 2015. The FFIEC Cybersecurity Assessment Tool is an important development because it is a process that institutions can use to determine their institution’s risks and cybersecurity preparedness. The FFIEC Cybersecurity Assessment Tool is consistent with prior FFIEC guidance, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and industry-accepted cybersecurity practices.
Other areas that the FFIEC focuses on in connection with cybersecurity are third-party management, cybersecurity insurance, and board of director and senior management oversight.
Third-Party Vendor Management
The regulators are increasingly focusing on institutions’ management of third-party vendors and putting a greater emphasis on outsourcing technology risks. This emphasis includes greater due diligence, contracting, monitoring, oversight and accountability, documentation and reporting, and review. Accordingly, a bank’s board and management has to be diligent in negotiating technology contracts. Although many technology vendors use form contracts, the institution should have their counsel (whether in-house or outside) review these contracts and negotiate appropriate compliant provisions.
Cybersecurity insurance is an emerging area. The regulators are also strongly suggesting that banks evaluate their cybersecurity insurance coverage (whether through existing policies or a cybersecurity policy). However, the regulators have not provided any specific guidance on what is adequate cybersecurity coverage. Thus, each institution has the challenge of determining the scope of coverage.
Board and Senior Management Oversight
Increased board and senior management scrutiny by the banking regulators is perhaps one of the biggest developments in this area. Cybersecurity is not just an IT function any more—it is a board and senior management function. The regulators want the board and senior management to set the tone from the top and want them involved at the highest levels. Recently, Deputy Treasury Secretary Sarah Bloom Raskin stated that banks need to “embed” cybersecurity into governance and culture. (Sarah Bloom Raskin, Remarks at the American Bankers Association Summer Leadership Meeting (Jul. 14, 2015)) Clearly, board and senior management must be actively involved in this area going forward.
Bank and financial cybersecurity regulation and risk are evolving areas. Even though the regulators are continuing to update their guidance, many questions remain unanswered:
- Will the regulators treat banks and institutions with a one-size-fits-all approach? Or will they tailor it based on bank’s specific risk profile?
- Will we see more cybersecurity cooperation and collaboration among smaller banks to achieve efficiencies of scale?
- What will the cybersecurity examinations reveal? What type of enforcement actions will we see?
- How will CISA affect banks and financial institutions?
- Will third-party vendor management come under even more scrutiny?
- How will cybersecurity insurance coverage evolve?
- How will board and senior management actively involve and educate themselves in cybersecurity?
While we don’t know the answers to these questions, we do know this is an area that the regulators will focus on with greater scrutiny and that bank boards and senior management will have to devote resources and attention to stay not only compliant, but secure.