How Risk Culture Drives a Sound Third-Party Risk Management Program


risk-10-1-18.pngRisk culture plays a role in every conversation and decision within a financial institution, and it is the key determinant as to whether a bank performs in a manner consistent with its mission and core values. Risk culture is a set of encouraged, acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk.

Third-party risk management (TPRM) is a fairly new discipline that has evolved over the past few years from legacy processes of vendor or supplier management functions previously used by companies to manage processes or functions outsourced to third parties. A “third-party” now refers to any business arrangement between two organizations.

The interagency regulatory guidance (The Federal Reserve Board, OCC, FFIEC and CFPB) says a bank cannot outsource the responsibility for managing risk to a third-party especially when additional risks are created. These risks may relate to executing the process or managing the relationship.

The recent Center for Financial Professionals (CFP) Third Party Risk Management survey “Third Party Risk: A Journey Towards Maturity” underpinned the issue around risk culture given the resourcing dilemma that most organizations face. Getting top-down support and buy-in was an issue posed by respondents in the survey. One respondent stated, “The greatest challenge ahead is to incorporate third party risk management goals into the goals of the first line of defense.” Another respondent stated, “Challenges will be to embed this into the organization, including [the] establishment of roles and responsibilities.” In particular, TPRM teams found it challenging to get buy-in from the first line of defense for the management of cyber risk and concentration risk.

Effective TPRM can only be achieved when there is a risk-centric tone, at the top, middle and bottom, across all layers of the company. Clear lines of authority within a three-lines-of-defense model are critical to achieving the appropriate level of embeddedness, where accountabilities and preferred risk management behaviors are clearly defined and reinforced.

Root cause analyses on third-party incidents and risk events (inclusive of near-misses) should be better used by organizations to reinforce training and lessons learned as it relates to duties performed by the third party. Risk event reporting and root cause analysis allows leadership to identify and understand why a third party incident occurred, identifies trends with non-performance of service-level agreements with the third party, and ensures appropriate action is taken to prevent repeat occurrences as it relates to training, education or communication deficiencies.

Risk culture is paramount to achieving benefits from the value proposition of an effective and sustainable TPRM program, and also satisfies regulators’ use test benchmarks.

Roles and responsibilities must be clearly defined and integrated within a “hub and spoke” model for the second-line TPRM function, the first line third-party relationship managers and its risk partners. Clearly, there is a need for financial institutions to (1) implement a robust training and communication plan to socialize TPRM program standards, and (2) ensure first-line relationships and business owners have been provided training.

Risk culture mechanisms that facilitate clear, concise communication are fundamental components for a successful TPRM program – empowering all parties to fulfill responsibilities in an efficient, effective fashion. The challenge of managing cultural and personnel change components cannot be underestimated. As a result, the involvement of human resources, as a risk partner, is critical to a successful resource model. With respect to cultural change, a bank should observe and assess behaviors with current third-party arrangements. The levels of professionalism and responsibility exhibited by key stakeholders in existing third-party arrangements may indicate how much TPRM orientation or realignment is required.

Key success factors to build a robust risk culture across TPRM include:

  • Clear roles and responsibilities across the three lines of defense and risk partners within the “hub and spoke” model for risk oversight.
  • Greater consistency of practices with regards to treatment of third parties. Eliminate silos.
  • Increase understanding of TPRM activities and policy requirements across the relationship owners and risk partners.

Indicators of a sound TPRM culture and program include:

  • Tone from the top, middle and bottom – the board and senior management set the core values and expectations for the company around effective TPRM processes from the top down; and front-line business relationship manager behavior is consistent from the bottom-up with those values and expectations. 
  • Accountability and ownership – all stakeholders know and understand core values and expectations, as well as enforcement implications for misconduct. 
  • Credible and effective challenge – logic check for overall TPRM framework elements, whereby (1) decision-makers consider a range of views, (2) practices are tested and (3) open discussion is encouraged.
  • Incentives – rewarding behaviors that support the core values and expectations.

Setting a proper risk culture across the company is indeed the foundation to building a sound TPRM program. In other words, you need to walk before you can run.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

What CEOs and Directors Need to Know About Their Bank’s Cyber Risks


cybersecurity-8-21-17.pngCybersecurity is quickly moving to the forefront of pressing concerns for financial institutions and their leaders. Regulators and examiners increasingly are expecting the board of directors and C-suite executives to obtain a greater familiarity with cyber threats and mitigation measures.

In May 2017, for example, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool (CAT), which was developed to help identify an institution’s risks and determine its preparedness. The FFIEC’s instructions for using the assessment explicitly contemplate the involvement of the chief executive officer and the board. Banks aren’t yet required to use CAT, but it’s expected to become mandatory eventually.

The message is clear—executives no longer can afford to take a hands-off approach to cybersecurity. They need to stay informed on critical security issues, and their chief information security officers (CISOs) should play a key role in keeping them up-to-date.

Role of the CISO
The CISO plays an advisory role, helping other C-suite executives make better, risk-informed decisions in the day-to-day execution of the bank’s operations. A CISO also can help design and implement the security strategy a bank deploys to effectively protect itself and its customers from known threats.

To provide the expected advisory services, the CISO must be aware of the current threats (including general threats, industry-specific threats and even institution-specific threats) confronting the bank. In addition to understanding this threat landscape, the CISO needs intimate knowledge of the bank’s ability to mitigate these threats, which includes evaluating the existence and effectiveness of the security program and its controls, and communicating the results to the C-suite.

Armed with measurements of the existence and effectiveness of the security program’s controls, the CISO can provide specific advice to the CEO and other C-suite members about the risks facing the bank and the additional steps that might be necessary.

The CISO regularly should brief executives on the following:

Status of Security Controls
Security controls—composed of people, processes and technology working together to mitigate specific threats—are the bedrock of any cybersecurity program. Executives must understand the status of such controls to know how well the bank is equipped to defend against threats.

Evaluating the status of such controls can be accomplished with dashboards that provide executives with a visual representation of all required security controls and the effectiveness of each. It is important for executives to understand how the effectiveness is measured. Is it a system that just measures the existence of the control, or is some form of measurement or testing done on the control? Historical metrics related to control implementation and effectiveness also are essential to provide perspective and illustrate progress (or lack thereof).

Status of Regulatory Compliance
Banks are subject to a broad and complex web of compliance obligations. Depending on the services they offer, applicable state and local regulations, and the types of information they process, the regulatory burden can differ dramatically among banks. For every financial institution, though, failure to comply can lead to fines, lawsuits and customer loss. The CISO should brief fellow C-suite executives on the bank’s current compliance status with all applicable laws and regulations. He or she also should update executives on how the bank is tracking and proactively preparing for potential regulatory changes.

Upcoming Security Initiatives
The CISO should explain current threats and the areas of risk that need to be addressed through various security initiatives, a measure which might require capital expenditures and approval from executive management. The explanation should cover not only where the security program stands today but also the overall direction going forward. Because this information can affect business initiatives that are not directly related to security, it facilitates risk-informed decision making.

Risk Management
Risk management is an ongoing process conducted by the security team to identify the areas with the highest level of risk based on known threats, weaknesses, controls and assets. In the end, the security team might determine that some identified risks are not sufficiently mitigated or that the residual risks remaining after the controls have been implemented are so considerable that they require new security initiatives. This information is vital for executives, as risks that aren’t adequately addressed must be considered when conducting business operations.

Know What You Know—And What You Don’t
No one, not even regulators and examiners, expect C-suite executives to be experts on cybersecurity issues. These executives should, however, understand their banks’ security posture so they can satisfy regulatory expectations and make better, risk-informed decisions for the overall business.

New Rules for Financial Firms in New York Put New Onus on Boards


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.

Bank Regulatory Update: Three Things to Think About for 2017


regulation-1-18-17.pngSignificant regulatory changes continued to affect the banking industry in 2016. The industry generally has moved beyond implementing the requirements of the Dodd-Frank and Wall Street Reform and Consumer Protection Act, but regulatory expectations continue to rise, with increased emphasis on each institution’s ability to respond to and withstand adverse economic conditions. Regulatory supervision, often through oversight from multiple agencies, is becoming more focused on supporting compliance efforts with strong corporate cultures within the institution. Managing regulatory compliance risk for a financial institution has never been more complex.

Looking forward to 2017, regulators are expected to continue to ramp up expectations in several areas. Industry stakeholders undoubtedly will be watching closely as the new administration takes control of the White House. However, regulators are expected to continue to increase their emphasis on three areas: cybersecurity risk, consumer compliance and third-party risk management.

1. Cybersecurity Risk
Cybersecurity is likely to remain a key supervisory focal point for regulators in 2017. Regulatory officials have stressed that cybersecurity vulnerabilities are not just a concern at larger financial institutions: small banks also are at risk. As such, financial institutions of all sizes need to improve their ability to more aptly identify, assess and mitigate risks in light of the increasing volume and sophistication of cyberthreats.

The Federal Financial Institutions Examination Council (FFIEC) agencies have established a comprehensive cybersecurity awareness website that serves as a central repository where financial services companies of all sizes can access valuable cybersecurity tools and resources. The website also houses an FFIEC cybersecurity self-assessment tool to help banks identify their risks and assess their cybersecurity preparedness. The voluntary assessment provides a repeatable and quantifiable process that measures a bank’s cybersecurity preparedness over time.

2. Consumer Compliance
The Consumer Financial Protection Bureau (CFPB)—now a more mature entity—is having a dramatic impact on the supervisory processes around consumer financial products. While the CFPB conducts on-site consumer exams for financial institutions with more than $10 billion in assets, it also has begun to work with regulators in consumer supervisory efforts in smaller banks. The CFPB also has issued a significant number of new and revised consumer regulations that apply to institutions of all sizes. Some of the more onerous requirements center on mortgage lending and truth-in-lending integrated disclosures (TRID).

The CFPB also continues to cast a wide net when it comes to gathering consumer complaints about financial products and services through its consumer complaint database. The latest snapshot shows the database contains information on more than one million complaints about mortgages, student loans, deposit accounts and services, other consumer loans, and credit cards.

CFPB examiners often use complaints received through the database as a channel for reviewing practices and identifying possible violations. This continued pressure has forced financial institutions to ensure their compliance management systems are supported by effective policies, procedures and governance. But keep in mind, it’s even more important now to adequately aggregate, analyze and report customer-level data, so your institution can identify and remediate problems before the regulators come after you, and so you don’t get accused of “abusive” practices under the Dodd-Frank Act.

3. Third-Party Risk Management
As a component of safety and soundness examinations, effective third-party risk management is regarded as an important indicator of a financial institution’s ability to manage its business. As a result, regulatory examinations consistently include an element of third-party risk management, and all of the federal bank regulators have issued some form of guidance related to third-party risk. The Federal Reserve’s (Fed’s) SR 13-19 applies to all financial services companies under Fed supervision. The Fed guidance focuses on outsourced activities that have a substantial impact on a bank’s financial condition or that are critical to ongoing operations for other reasons, such as sensitive customer information, new products or services, or activities that pose material compliance risk.

Guidance from the Office of the Comptroller of the Currency (OCC) on third-party risk (Bulletin 2013-29) generally is more comprehensive than the Fed guidance and requires rigorous oversight and management of third-party relationships that involve critical activities. The OCC bulletin specifically highlights third-party activities outside of traditional vendor relationships.

Outlook
The critical areas discussed here are just a few for which banks need to expect more regulatory scrutiny in 2017. While there are early indicators that some elements of Dodd-Frank and other regulatory requirements could be pared back as the new administration takes control of the White House, the industry will need to closely monitor any changes and adjust compliance efforts accordingly.

The Three Top Reasons For Vendor Consolidation


vendor-manangement-11-8-16.pngWhy should banks and credit unions consider consolidating their vendor relationships? Here are three top reasons why:

1. Save Time And Money
Banks and credit unions that reduce the number of their vendor partnerships can increase their operational efficiency and productivity. When an institution partners with multiple vendors, typically that means staff has to deal with multiple back-end systems, often accessing each system numerous times a day and struggling to keep abreast of all of the updates for every system. Sometimes, staff is even unnecessarily bogged down with having to deal with duplicative systems from multiple vendors.

Consolidating vendor relationships also can significantly reduce the amount of training for staff as well as for customers. Bank and credit union staff typically has to train customers on how to use vendors’ private-labeled portals, and that can be time-consuming, particularly if a financial institution uses multiple vendors with multiple portals. But if an institution uses the same vendor for multiple solutions that all have the same look and feel and the same technology, then training of both staff and customers is significantly reduced.

When banks and credit unions are able to negotiate fewer contracts, they can conduct less due diligence on potential vendors, as well as get more for their money by reducing the amount of monitoring and reporting required for risk and assessment compliance. On the other hand, having multiple contracts with multiple vendors adds even more burden to staff because they will also have to monitor different contract term dates for renewal, and then they’ll have to determine how one expiring contract could impact solutions from other vendors.

Furthermore, when a bank or credit union uses fewer vendors, the institution has more negotiating power because it frees up more dollars with the remaining vendors. The higher the volume provided to a vendor, the more likely they will offer their best pricing resulting in lower cost.

2. Save On Vendor Due Diligence
Financial institutions are increasingly responsible for keeping up with the third-party vendor management requirements of the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Federal Reserve, and for state-chartered institutions, the requirements of state regulators.

For example, the FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), provides four main elements of an effective third-party risk management process: risk assessment, due diligence in selecting a third party, contract structuring and review and oversight. But today, there’s even more heightened scrutiny, as a number of high-profile security breaches of major vendors has caused regulators to make sure that financial institutions are actually taking all the necessary steps spelled out in the regulations, such as the IT handbook of the Federal Financial Institutions Examination Council (FFIEC).

Banks and credit unions can find it very time consuming to conduct the proper due diligence and ongoing monitoring on each vendor. By partnering with a one vendor, financial institutions can significantly reduce their compliance burden.

3. Help Customers
Consolidating vendors can enable banks to greatly elevate the experience for their customers, by providing a single platform that is easy to navigate. Banks may also have access to additional monitoring and reporting of customer activity to help prevent and detect fraud.

Vendor consolidation can provide substantial return on investment by saving time and achieving cost savings, as well as reduce regulatory burdens by providing the right monitoring and reporting to meet compliance requirements. Partnering with a one vendor can not only save time and money and boost return on investment, but also enhance customer loyalty by elevating the user experiences on the platform.

The New FFIEC Information Security Examination Procedures: What Boards Should Be Doing Now


FFIEC-9-14--16.pngHow effective is your bank’s approach to information security, including cybersecurity? On September 9, the Federal Financial Institutions Examination Council (FFIEC) published new information security examination procedures. It is critical that boards and management teams quickly get up to speed on the new exam procedures so there are no surprises in the bank’s next exam that adversely impact earnings, capital or value creation.

The new exam procedures focus on assessing the quality and effectiveness of the bank’s information security program, including its culture, governance, security operations, with emphasis on cybersecurity, and assurance processes, such as self-assessments, penetration tests, vulnerability assessments and independent audits. The procedures contain eleven objectives for the examiners to attain.

The objective relating to security operations and cybersecurity is especially noteworthy, as it contains enhanced expectations. Both in the preamble and in the specific exam procedures, there is recognition that it is not a question of if, but when an attacker will break into the network, so banks need to enhance threat identification, monitoring, detection and response. Examiners will evaluate whether the bank has monitoring in place to identify malicious activity, a process to identify possible compromises in the bank’s systems, and whether it uses tools that reveal and trace an attacker’s actions, such as attack or event trees, to size up exposures and respond effectively.

While speaking on cybersecurity on the main stage at Bank Director’s 2016 Bank Audit and Risk Committees Conference in June, I electronically polled the bank directors and senior executives in attendance. The results from the 206 respondents indicate a need for banks to beef up cybersecurity to meet these enhanced regulatory expectations. While cybersecurity is a top concern for bank boards, seventy-seven percent indicated that they do not review cybersecurity at every board meeting. Fifty-nine percent of attendees said that detecting anomalous activity or threats from malicious insiders are the cybersecurity risks for which their bank is least prepared.

FFIEC.PNG
Source: 206 respondents, Bank Director Audit and Risk Committees Conference June 2016

When I asked how many had implemented ongoing reviews of the network visibility map for risk oversight, only 31 percent had done so. This map visually shows all assets inside the network and helps identify threats. Without this visual map, the bank will be managing its cyber risks in the blind.

What the Board Should Do
Here are five steps that boards should take to remain proactive regarding information security.

  1. Review cybersecurity at every board meeting. Cybersecurity must be handled as a strategic boardroom issue, not as a back-office IT issue.
  2. Use the new information security exam procedures to perform a self-assessment. Identify and eliminate any deficiencies well in advance of the next exam.
  3. Review the network visibility map at every board meeting to visually identify all assets and the risk mitigation in place to protect them.
  4. Task a “hunt” team to identify anomalies within the bank’s network, as described in the new exam procedures. On average, attackers roam inside the network undetected for more than 200 days. Eliminate the exposure using advanced analytics that can mine through millions of records and reveal the attacker and the entire exposure. Response must be prompt.
  5. Conduct ongoing but randomly scheduled social engineering and phishing simulation training to keep employee awareness heightened. Education can prevent employees from falling victim to real attacks and becoming the weakest link in the chain.

In March, the Consumer Financial Protection Bureau fined an online payment processor for engaging in unfair, deceptive or abusive acts and practices (UDAAP), due to its failure to implement an adequate information security program and protect consumer data. Other regulators have taken notice, and will not hesitate to assess enforcement actions for information or cybersecurity deficiencies using UDAAP or other enforcement tools available against banks and its technology providers. Information or cybersecurity lapses can cause irreparable harm to the bank, and tarnish its reputation instantly. The stakes are very high. Banks must stay one step ahead.

Cybersecurity: Steps to Take Now


cybersecurity-7-1-16.pngThe Federal Financial Institutions Examination Council (FFIEC) and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Bank executives and board members should be aware of published guidelines that cover four key areas the FFIEC believes are most important:

  1. Governance: What are the bank’s policies and procedures? How does the bank establish and communicate expectations and conduct training? Is the entire organization, not just the IT department, involved in addressing cybersecurity risk? How would the institution react if something goes wrong?
  2. Threat intelligence: How does the institution monitor and remain aware of potential threats? What internal and external resources does the bank use to keep up-to-date on potential risks? What threat detection tools does the institution use? Does the bank participate in the FBI’s InfraGard and other intelligence sharing programs? How does the bank monitor and guard against unforeseen threats?
  3. Third-party relationships: As banks continue to outsource more non-core activities, the responsibility to manage cybersecurity with third party vendors is also increasing. Does the bank follow the Office of the Comptroller of the Currency (OCC) guidelines? Can the bank’s third parties pass the scrutiny of independent reviews (e.g., Service Organization Control (SOC 1, 2, 3) examinations)? It should be noted that the data breach at the retailer Target occurred a few years ago, at least in part, because of the activities of a third party vendor, and the FFIEC is focused on preventing that type of vulnerability within the banking system.
  4. Incident response: At last count, there were forty-six state laws and innumerable federal laws and regulations that address the reporting of data breaches of different types. Many of these laws and regulations differ in terms of when breaches must be reported and to whom. Determining if a breach actually occurred and how it occurred may add both time and complexity to the incident reporting process. A strong and effective incident response plan may help banks cut the time needed to manage and report the incident. It is critical that institutions have an incident response plan that can be successfully executed.

Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.

  • Begin at the top: Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.
  • Be aware: Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
  • Align strategies: Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.
  • Manage risks: Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.
  • Establish governance: Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization, especially to senior management, and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.
  • Participate: Take part in government and industry information-sharing groups and learn from other institutions and government officials.
  • Conduct ongoing training: As always, the three critical components of risk management are people, processes and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.

Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.

Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity


cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank