Financial institutions today are under pressure to comply with mounting regulatory requirements, especially as they relate to cybersecurity guidelines. In fact, the FFIEC recently issued an update to the FFIEC Information Technology Examination Handbook’s Management Booklet to more explicitly integrate cybersecurity concepts. Additionally, the FFIEC released a new resource called the Cybersecurity Assessment Tool (CAT) to help financial institutions identify risks and determine cybersecurity preparedness. This in-depth “assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time,” according to the FFIEC.
Due to the “increasing volume and sophistication of cyber threats,” cybersecurity has quickly become a hot topic with regulatory agencies. Regulators expect banks to show evidence that they are measuring cybersecurity threats and preparedness using the CAT or a comparable framework. This expectation applies to banks of all sizes, from a rural one-branch bank to a national bank with billions in assets. For smaller banks with fewer resources and less compliance expertise, complying with the new regulations and requirements can be a challenge.
While some regulatory agencies have indicated that completion of the Cybersecurity awareness Tool is not mandatory, all have stated they intend to use the tool to assess banks’ cybersecurity readiness. Examiners have already begun to issue verbal and written recommendations to financial institutions that have not filled out the CAT.
After completing the CAT, many community banks are finding they have a higher risk factor than they expected and are frantically searching for ways to efficiently manage the strategies needed to mitigate that risk.
What are your bank’s options for mitigating this increased cybersecurity risk?
Try to manage it yourself
Many banks that try to manage cybersecurity guidelines themselves in-house often run into hurdles immediately. Maintaining the knowledge and expertise of the evolving regulatory environment is a time-consuming endeavor. The CAT assessment alone is about 128 pages. Small banks do not have the bandwidth to manage cybersecurity compliance efficiently and in a manner that meets regulator demands. Many community banks simply can’t afford to have a team dedicated to regulatory management.
Use a local IT service provider
Community bankers have a natural inclination to “shop local,” and that includes looking for service providers who can assist with IT and compliance needs. However, it is also important to understand the risks that generalist IT service providers pose to your institution given today’s oversight environment. Local IT service providers often do not have experience with the regulatory demands bankers face. Auditors and examiners will expect a thorough paper trail to prove that daily practices match defined policies and procedures, and often this must flow through IT resources. Knowledge of your banking applications, cybersecurity and compliance environment is vital!
Engage an experienced bank IT and compliance professional
To help augment limited personnel resources, community banks are increasingly partnering with financially-focused IT and security service providers to better manage their growing compliance and security needs. It is important to partner with an organization with the right skills, knowledge and expertise.
The right IT service provider couples security measures with an understanding of and support for the unique compliance demands of the financial industry.