Hey Guru,
 
Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are working on an ad to educate our customers on how to use our online products if they are concerned about coming out in public to the branch. Thanks!

I wouldn’t call it a requirement to post a statement, but it’s definitely a best practice. I could easily see the examiners being just fine with your generic Pandemic planning, but next time they come in asking “what specific steps did you take in reaction to the recent COVID-19 event?”

Lots of generic best practices out there (CDC, etc.), and of course your response would depend on your capabilities (encouraging e-banking vs. face-to-face transactions, and e-signatures for physical signatures on loan documents, for example). For some FI-specific resources and more, read the complete blog post at ComplianceGuru.com.

Cybersecurity-related attacks on the financial sector are increasing at an alarming rate, and a recent IMF estimate suggests that “…average annual potential losses from cyber-attacks may be …around $100 billion”. Another study indicates that “…financial services firms also fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries.” These two metrics make cybersecurity a critical issue for banks and credit unions, and in fact, we consistently find this issue in the top 3 concerns for financial institution CEOs, boards, and senior management.
What is the best way to approach this critical issue? We think there are three important questions the CEO and senior management should be asking about cybersecurity:

How much cyber risk is “acceptable” to my institution?

“Acceptable” risk levels are also referred to as “risk appetite”, because if management determines that residual risk levels are within their pre-established risk appetite, those residual risks are, by definition, acceptable.

Risk appetite is broadly defined as the amount of risk an entity is willing to accept in pursuit of its strategic mission. According to the FFIEC Cybersecurity Assessment Tool (CAT), the Board and senior management should establish a risk appetite level consistent with their strategic goals and objectives. Risk appetite is clearly an important concept to regulators, as the term is repeated 17 times in the CAT.

But is it reasonable that a single risk appetite level should apply to the entire enterprise? Institutions offering products and services online are willing to accept a higher level of cyber risk then those who don’t. Even among online services, some might be riskier than others. For example, offering simple online access to account information vs. offering funds management services like investment accounts. For this reason, we recommend risk appetite levels be established at the business process level. These individual levels can then be rolled up to an overall composite risk appetite.

How do I determine my current level of cyber risk?

To determine an institution’s cybersecurity posture, the CAT provides a regulator designed and approved, repeatable methodology that utilizes a two-step process. First, establish an Inherent Risk Profile, and second, determine your Cybersecurity Control Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Control Maturity includes domains, assessment factors, contributing components, and individual declarative statements across five maturity levels to identify specific controls and practices that are currently in place.

By reviewing your institution’s inherent risk profile and control maturity levels across the enterprise, management can conduct a gap analysis to determine whether its maturity levels are acceptable in relation to its risk. In other words, are our residual risks within pre-established risk appetite levels? If they’re not, the institution must either reduce the level of risk, or (more commonly) increase the levels of control maturity.

One more thing about cyber risk; of the 3 categories of controls (preventative, detective, and corrective/responsive), often preventive and detective controls aren’t applicable, leaving only corrective/responsive measures. That’s why testing is so critical, which brings us to the final question…

When was the last time we conducted a cyber incident response test?

The answer should be recently. Here’s why: Not all traditional disasters have a cyber element to them, but many cyber events have a system recovery element that may impact your ability to deliver products and services to your customers. Cyber incidents can also often indicate a violation or deviation from your security policies and best practices, for example if an employee or third-party either intentionally or inadvertently caused the incident. This may lead to policy changes, or at least the need for additional internal training.

Senior management must ensure their institutions have adequate incident response capabilities so they can detect incidents (whenever possible), contain and control the impact, and ultimately recover. Testing is the only way to definitively verify that your institution has effective cyber incident resilience and recovery capabilities. Periodic testing also helps to ensure an incident response plan is being maintained in a state of constant readiness so that you can react quickly. Unlike a natural disaster which will often provide at least a short window of warning, a cyber event typically does not. In fact, recent studies indicate that more often than not, it is the customer that first detects a cyber event, not the institution.

Lastly, financial institutions should conduct testing based on the probability and impact of the event or incident being simulated. Since it is far more likely that you’ll be impacted by a cyber event as opposed to a catastrophic natural disaster, incident response capabilities should be tested at least as often as your BCP, or at least annually.

Final Thoughts

New types of security-related incidents are constantly emerging. Consequently, CEOs and senior management of financial institutions must be prepared to keep IT resources ahead of the current threat environment. When we address Boards on cybersecurity matters, we often get asked why cybersecurity spending should increase even if our risk profile hasn’t. The threat environment is increasing and evolving, so even if your inherent risk profile isn’t changing you must still increase control maturity levels over time to maintain your residual risk within your risk appetite levels. As the FFIEC IT Handbook’s Information Security Handbook states,

There are many other areas related to cybersecurity that CEOs and senior management should be considering. To gain more insight into those areas, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.

In today’s business environment, cyber threats are constantly evolving, and financial institutions are among the most highly targeted industries. Financial institutions are considered part of the critical national infrastructure, and protecting NPI (non-public information) and financial transactions is a high priority for banks and credit unions as they strive to address ransomware, account takeovers, mobile banking exploitation, and other cybercrimes.

The role of the Information Security Officer (ISO) is an important strategic IT and business role with a high level of visibility, responsibility, and associated accountability. The Information Security Officer is required to interact with the IT steering committee, board of directors, auditors, examiners, and others to provide periodic status updates on the institution’s information security program. To date, we have identified 7 distinct areas of responsibility for the ISO, consisting of 35 individual metrics requiring reporting and documentation.

Qualities for this role include leadership skills, political influence, thorough knowledge and understanding of regulatory requirements, the ability to work with internal management and third parties, and an in-depth understanding of the organization’s technology infrastructure and operations. This is a tall order for any organization much less a community financial institution that may lack individuals with expected qualifications, bandwidth, and experience. The vast majority of community financial institutions do not have dedicated ISO’s, but instead add the title (and associated responsibility and accountability) to someone that may already wear multiple hats.

To assist those taking on the role of an ISO at a community financial institution, we’ve provided five areas of focus for success:

Ensure the Protection of Information

The ISO’s primary responsibility is to safeguard the security and confidentiality of nonpublic information (NPI) as well as the institution’s financial transactions. In doing so, the ISO must lead efforts to ensure adequate administrative, technical, and physical controls based on risk are in place. Information assets encompass everything from hardcopies archived in a file cabinet, to information stored in a computer system to data being transmitted over the internet (including remote deposit capture and mobile banking transactions).

Understand Key Regulations and Requirements for Compliance

The ISO must adhere to the Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Modernization Act of 1999. The GLBA, which requires financial institutions to explain how they share and protect their customers’ private information, provides a strong framework for information security. So does the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is a five-member agency responsible for establishing consistent guidelines and uniform practices and principles for financial institutions. They have published, and periodically update, 12 handbooks for information security requirements and best practices. The ISO must understand the regulatory expectations of both GLBA and FFIEC.

Be Proficient in Cybersecurity and the Cyber Assessment Tool (CAT)

Cybersecurity, according to the FFIEC, is the evolving process for protecting consumer and bank information by preventing detection and responding to attacks. The FFIEC outlines specific cybersecurity standards within the CAT, which is designed to help institutions determine their cyber risks and control maturity levels. Although financial institutions are not required to use the CAT to conduct their annual cyber assessment, they are expected to annually assess their cyber posture and report that status to the Board. Since the CAT is the defacto standard for cybersecurity measurement, it is the most common methodology. ISO’s must also be familiar with the FFIEC IT Examination Handbook and cybersecurity standards, which cover business continuity planning, IT/information security policies, audit, incident response planning, and other important topics.

Perform Duties Beyond Overseeing and Coordinating Proactive Security Efforts

Since no environment is ever 100% secure all the time, the ISO is also responsible for responding to attempted/actual cyber-attacks in a timely manner which may include potential involvement in legal proceedings; interacting with the cyber insurance coverage carrier; accountability for commercially reasonable security controls; strategic planning for internal infrastructure change; growth/acquisition; overall IT/cyber risk appetite; risk assessments for new technology; and customer-facing online banking services.

Review Periodic Tasks That Include Effective Systems Management and Security

The institution’s ISO needs to have visibility and accountability into existing technology driven security measures, including implementing approved software, anti-malware efforts, software patches, encryption, and multi-factor authentication to prevent unauthorized access to information. The ISO should also ensure the financial institution has adequate intrusion detection and intrusion prevention systems in place; review back up failures; and evaluate activities for high-risk online banking customers (ACH/wires).

Cybersecurity is a constant challenge for financial institutions, especially smaller banks and credit unions with limited resources. Because of the ever-expanding expectations for the role, institutions often struggle with hiring and retaining individuals with the extensive expertise needed to fill the ISO’s shoes. However, financial institutions that require assistance are increasingly turning to trusted third-party providers to ensure that information security requirements are properly addressed on a periodic basis.

Succession planning is crucial to business continuity planning and maintaining an organization’s growth, longevity, and legacy. A succession plan is essentially a strategy for transferring key roles when individuals leave due to retirement, resignation, or whenever circumstances such as Pandemic or natural disaster impact the availability of your key employees. While a typical succession plan may focus on the transition of senior executives, such as the CEO, CFO, COO, executive director, or bank president or manager, it is also important to include other key employees in which you may have a concentration of duties, such as the Information Security Officer (ISO).

Why plan for transitions?

While everyone has a part to play in supporting an institution’s information security, compliance processes, and cybersecurity activities, no one is more central to this endeavor than the ISO. Those taking on the role of ISO assume a wide range of responsibilities, as well as the associated accountability. Financial institutions should be prepared and know how to proceed should the ISO leave or be unavailable or unable to perform their job duties. This means not only identifying alternate personnel for this key position, but also having those folks properly trained in advance.

In addition, regulators are increasingly requiring financial institutions to have a formal succession plan for key employees, and we’ve seen an uptick in findings related to this issue. The Federal Financial Institution Examination Council’s (FFIEC) IT Examination Handbook requires financial institutions to include cross-training and succession planning in the business continuity plan to ensure back-up personnel are identified for key operational positions. In addition, the FFIEC guidance also states that institutions should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.

Yet many institutions approach ISO succession planning in general, let alone for the ISO, as an afterthought (if at all) and are ill-prepared to address and manage the ever-growing list of ISO responsibilities. Studies show that while a succession plan is crucial, less than half of banks have a long-term and emergency succession plan in place, according to research by Bank Director. Also, approximately 37 percent of banks identified succession planning among their top three board composition challenges, reported the 2018 Bank Director survey. Another 25 percent of those surveyed expressed dissatisfaction with their bank’s succession planning efforts.

Regardless of the situation, planning (and cross training) ahead of time can help minimize uncertainty, prevent unnecessary stress and assure continuity in the information security/cybersecurity process. Considering that the ISO is responsible for oversight and coordination of the security and confidentiality of Non-Public Information (NPI) , as well as FFIEC compliance and regulatory requirements, a misstep or lack of guidance in these areas can cause operational, regulatory, and reputational risks to the financial institution.

Creating a succession plan for the ISO

Succession planning generally entails identifying and developing successors who can replace vital roles. Strategies for succession planning vary based on the size, type, and goals of the organization, but there are some basic steps to follow:

• Assess requirements and responsibilities — A good place to begin the planning process is to understand the primary responsibilities, expertise, and requirements of the ISO position. Although this continues to evolve, to date we’ve identified 35 distinct elements in 7 categories ranging from information security to BCP, Vendor Management, and Strategic IT planning.
• Evaluate internal talent — Identify which employees may be the most qualified to take on these tasks, bearing in mind that in all likelihood you may need multiple resources. Commit to cross training these individuals through hands-on training, classroom education, and mentorship.
• Recruit externally — If there is a shortage of internal talent to fill the ISO role, institutions might consider identifying potential resources outside their organization, such as a virtual ISO service.

Succession planning for the ISO is a matter of information security continuity, and any gaps in this area may impact the entire enterprise, including the senior management, employees, customers, shareholders, and other stakeholders. Banks and credit unions should keep in mind that succession planning in general is not a one-and-done undertaking. Because of the evolving nature of information security, it is an ongoing exercise, and succession plans should be reassessed regularly and updated as needed. Effective succession planning and cross training will make transitions (planned or unplanned) a more positive experience for everyone in the organization.

Banks and credit unions alike have grown accustomed to the frequent and often strenuous regulatory exams and audits that have become a large part of their day-to-day life. Perhaps not surprisingly, according to our third annual report, “2019 IT Outlook for Community Banking,” compliance issues remain a big concern for these institutions, especially in terms of meeting examiner expectations. Financial institutions continue to struggle across critical areas such as: vendor management, business continuity planning, cybersecurity, audits, and exams. Risk assessments, which according to survey results, is a big struggle as 65% of respondents claim it is currently their greatest IT challenge.

Continuously changing interpretations of guidance that is already in place, along with new guidance, has made the exam process — starting with the preparation all the way through to accurate documenting steps taken to remediate findings — an extremely time-consuming and stressful endeavor.

At the beginning of the exam process, the examiner typically sends a list of items they want to review; certain areas they plan to examine; and items they plan to discuss. This list normally includes a number of reports and documents the financial institution must prepare ahead of the review and subsequently provide to the reviewing agents before the on-site visit. While some exams only require a handful of reports to prepare up-front, others can request more than 60 different reports, including:

• Organizational Charts
• Financial Reports
• Business Continuity Plans
• Disaster Recover Plans and Test Results
• Vendor Management Policies
• Security Policies

In addition to gathering and preparing the reports and documents the examiner requests, there are certain steps banks and credit unions can do before the exams to help streamline the process, feel more confident and prepared, and better meet examiner expectations:

Review All Relevant Guidance and Significant Changes

The management team and compliance officers should familiarize themselves with all relevant guidance for their institution, and make sure they are up-to-date on any changes that might affect them. In addition, they should review recent significant changes to internal technology infrastructure, risk assessments for customer or member facing electronic banking services and as well as the financial institution’s cyber risk appetite statement.

Review Previous Examination Reports 


Review the previous exam reports for any comments or matters that required attention. It is critical that all exam findings from previous examinations be addressed, with corrective actions documented.

Review Any Non-Finding Comments (If There Have Been Any)

If the institution received any comments from the examiner that did not rise to the level of a finding, they should be prepared to discuss how (or if) the institution plans to address these items in the future. In some cases, management may decide these items do not require corrective actions. However, they should still be discussed, and any rationale (action or inaction) documented.

Review the Compliance Plan

Each financial institution needs to be able to show examiners how they identify, track and respond to compliance issues. Often referred to as a Compliance Management System (CMS), this typically includes everything from how they introduce new initiatives and new vendors, how they implement and manage the initiatives, and how they respond and prepare for expansions and organizational changes, to how they track audit and exam findings.

Automate Compliance Tasks

Finding the time to collect all the requested reports and adequately prepare for exams can be a challenge. In fact, 55% of survey respondents admit to struggling with finding the time to work and focus on compliance-related activities. This struggle has led banks and credit unions alike to search for a more efficient way to manage compliance tasks and leverage automation to manage compliance responsibilities. Approximately 33% of survey respondents outsource their compliance needs, and 59% have increased their compliance spending in the past 18 months.

Regardless of location and size, banks and credit unions are all subject to largely the same regulations. Working with a managed services provider who works exclusively with financial institutions and understands the unique challenges of the exam process, greatly increases the chances that you are not only prepared for an exam, but can confidently meet all examiner expectations both before, and after, the exam.

To gain more insights into the key challenges, goals and opportunities facing banks and credit unions today, please download the full report here.