As Cyber Threats Increase, Regulators Worry about Bank Readiness

May 2015

As Cyber Threats Increase, Regulators Worry about Bank Readiness

Don’t think a community bank is immune from cyber attacks. Regulators are increasingly focused on cybersecurity and expect your bank to be on top of threats, including those that may hit your third-party service providers. In today’s interconnected world, banks need to protect their data, websites, apps and internal network.

“Cyber attacks have increased in frequency and severity over the past two years. The attacks often involve the theft of credentials used by customers, employees, and third parties to authenticate themselves when accessing business applications and systems,” the Federal Financial Institutions Examination Council warned in late March.

“Cyber criminals can use stolen credentials to commit fraud or identity theft, modify and disrupt information systems, and obtain, destroy, or corrupt data. Also, cyber criminals often introduce malware to business systems through e-mail attachments, connecting infected external devices, such as USB drives, to computers or networks, or by introducing the malware directly onto the business systems using compromised credentials,” the FFIEC wrote.

Community banks should make sure they test their incident response and business continuity plans and know what to do if their bank – or a third-party provider – is attacked, the regulators warned.  Banks should have a plan to make sure that recovery strategies reflect the potential for a simultaneous attack on both the bank and its backup data center.

New York State last year said it was pumping up its IT exams to focus on cybersecurity readiness. It wants all institutions to view cybersecurity as “an integral part of their overall risk management strategy, rather than solely as a subset of information technology,” state regulators said in March.

The new exams focus on whether banks have the proper corporate governance policies and procedures to manage cybersecurity issues and risks. Banks will be expected to demonstrate that they have the right reporting structure, resources, safeguards and testing to guard against an attack, and business continuity plans in place in case one happens.  Federal regulators may follow suit.

The CEO and the board are responsible for cybersecurity management, the Conference of State Bank Supervisors stresses in a “Cybersecurity 101,” a report designed for community bank CEOs.

Here are some questions every CEO should ask to understand a bank’s risks, according to the guide:

Does my bank know what information it manages, where it is stored, how sensitive it is and who has access to it?

What are my bank’s key business information assets and are they adequately protected? Is confidential information – data that would severely impact the bank if lost, damaged or released– treated like a crown jewel?

What types of internet connections does my bank have and how are they managed and protected? Does the bank allow employees to bring their own devices to work and if so, what controls are placed on that?

How is my bank connecting to third parties and ensuring they are managing their cybersecurity risks?

Once CEOs understand the answers to those questions, and classify their information assets to know their importance, they can then begin identifying the bank’s threats and vulnerabilities.  Regulators have encouraged community banks to join the Financial Services Information and Analysis Center.

New York state regulators surveyed banks last year and discovered that many banks were reluctant to reveal “perceived or actual security weaknesses to competitors,” yet the most productive information-sharing must focus on specific threats and solutions.  This is especially important to community banks, which have limited financial resources and must spend wisely to be the most effective.