Cybersecurity: Steps to Take Now

cybersecurity-7-1-16.pngThe Federal Financial Institutions Examination Council (FFIEC) and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Bank executives and board members should be aware of published guidelines that cover four key areas the FFIEC believes are most important:

  1. Governance: What are the bank’s policies and procedures? How does the bank establish and communicate expectations and conduct training? Is the entire organization, not just the IT department, involved in addressing cybersecurity risk? How would the institution react if something goes wrong?
  2. Threat intelligence: How does the institution monitor and remain aware of potential threats? What internal and external resources does the bank use to keep up-to-date on potential risks? What threat detection tools does the institution use? Does the bank participate in the FBI’s InfraGard and other intelligence sharing programs? How does the bank monitor and guard against unforeseen threats?
  3. Third-party relationships: As banks continue to outsource more non-core activities, the responsibility to manage cybersecurity with third party vendors is also increasing. Does the bank follow the Office of the Comptroller of the Currency (OCC) guidelines? Can the bank’s third parties pass the scrutiny of independent reviews (e.g., Service Organization Control (SOC 1, 2, 3) examinations)? It should be noted that the data breach at the retailer Target occurred a few years ago, at least in part, because of the activities of a third party vendor, and the FFIEC is focused on preventing that type of vulnerability within the banking system.
  4. Incident response: At last count, there were forty-six state laws and innumerable federal laws and regulations that address the reporting of data breaches of different types. Many of these laws and regulations differ in terms of when breaches must be reported and to whom. Determining if a breach actually occurred and how it occurred may add both time and complexity to the incident reporting process. A strong and effective incident response plan may help banks cut the time needed to manage and report the incident. It is critical that institutions have an incident response plan that can be successfully executed.

Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.

  • Begin at the top: Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.
  • Be aware: Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
  • Align strategies: Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.
  • Manage risks: Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.
  • Establish governance: Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization, especially to senior management, and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.
  • Participate: Take part in government and industry information-sharing groups and learn from other institutions and government officials.
  • Conduct ongoing training: As always, the three critical components of risk management are people, processes and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.

Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.

Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward.

The Job of the Audit Committee

audit-committees-6-23-15.pngAs regulatory scrutiny intensifies and liability concerns mount, it’s more important than ever that financial institution audit committees are highly engaged. With the recession and the banking crisis fading in the rearview mirror, regulators are shifting their focus from asset quality to corporate governance—including the effectiveness of audit committees. Effective audit committees are likely to have the following critical attributes.

Proactive Involvement With Internal Audit
Greater audit committee participation in the internal audit process should be the new norm. In the past, audit committees typically took a more passive role—receiving reports from the internal audit department, entering them in the minutes, and rarely asking questions. But today, regulator criticism increasingly cites lack of detail in audit committee oversight of internal audit.

Regulators expect audit committees to have a better understanding of how the department operates on a daily basis and to be more involved with developing the risk assessment and the internal audit plan, including determining the scope of work. Rather than simply functioning as a rubber stamp, the audit committee should push back and challenge management when appropriate and ensure that internal audit has sufficient resources.

The challenge for some audit committees is achieving the necessary composition of members to provide effective internal audit oversight. The membership of audit committees, after all, is drawn from boards of directors, which may lack the requisite diversity in backgrounds and expertise. Financial institutions should address any such inadequacies.

Extensive Communication With External Auditors
The auditing standards under which external auditors work are undergoing significant changes that require expanded communication with the audit committee. The current auditing environment calls for more detailed communications and discussions between external auditors and the audit committee.

Yet, the communication the standards require is sometimes more complex than the information the audit committee wants to hear or has the ability to process. An effective audit committee needs to include at least one financial expert (preferably two) and to allow an appropriate amount of time for the sharing and understanding of vital information.

Comprehensive Understanding of Risk
Since the economy and financial services industry have begun to recover, regulators have placed greater emphasis on how financial institutions are managing risks currently and how risks will be managed in the future—what steps financial institutions are taking to identify risk earlier and respond appropriately. The audit committee therefore must satisfy a higher standard regarding its understanding of the entire organization when it comes to risk.

Regulators rightly assume that a financial institution’s overall strategy strongly influences the level of risk it is willing to assume, along with the level of controls required to monitor and mitigate that risk. In turn, the board and the audit committee are subject to substantially higher expectations related to their understanding of the institution’s risk profile, risk appetite, and mitigation and management of risk factors.

If the financial institution has a formal board risk committee, the audit committee should coordinate with it; if not, the audit committee often is delegated the responsibility for addressing risk management issues. In either case, the committee should stay on top of the bank’s chief risks (including understanding their probability and potential magnitude), the measures management is taking to combat those risks, and the amount of financial or reputation risk that management and the board have agreed is tolerable.

The Consequences of an Ineffective Audit Committee
A financial institution with an ineffective audit committee is vulnerable to regulatory consequences. The institution could find itself subject to criticism related to the audit committee’s failure to fulfill its responsibilities as laid out in the audit committee charter. In rare but potentially disastrous instances, the external auditors could conclude that the audit committee is ineffective, resulting in a finding of material weakness in the bank’s overall internal controls. To avoid such consequences, financial institutions must take action to see that their audit committees have the essential attributes.