FFIEC Updates Cybersecurity Expectations for BoardsRevised Management Booklet Spells Big Change for Bank Executives
The Federal Financial Institutions Examination Council's updated guidance for bank examiners, released this week, stresses that executives and boards of directors must approve IT plans that contain strategies for addressing emerging and ongoing cyber threats.
The revised booklet focuses on three key areas of change:
- IT governance for boards of directors: They must review and approve IT strategic plans that include security strategies for addressing ongoing and emerging threats, including cyberthreats;
- Risk management for operational risks: Institution management should ensure that effective IT controls are in place, either through direct oversight or by holding lines of business accountable; and
- IT risk management: Management should identify IT assets that are controlled internally or by third parties and ensure they are adequately measuring and mitigating risks to those assets.
Greater Regulatory Burden?
"Governance is critical to the success of a security program, and, unfortunately, a top-down approach is needed here, as cybersecurity and IT risk management can no longer be relegated to the IT department," Litan says. "This will definitely put additional regulatory burdens on the banks, as they now have additional management and reporting processes they must comply with. Vendors that provide IT risk management and governance software will have a heyday with the new guidance."
But Ben Knieff, a financial fraud analyst at the consultancy Aite, believes the updates don't place any additional regulatory burdens on banks and credit unions. Instead, the revisions simply clarify regulatory expectations and encourage executives to invest more in cybersecurity.
"Cybersecurity and cybercrime prevention are still in the learning phase - and probably always will be," Knieff says. "The threat surface changes so quickly, it seems nearly impossible to be fully protected. I would suggest this guidance is a stick to help institutions move forward on cybercrime initiatives. My experience has been that there are smart individuals who understand the threats and risks but may struggle to get the budget to address them. This sort of statement from the FFIEC can help those managers bolster their case for budget if they already know the need and have solutions in mind."
Knieff concurs with Litan that the emphasis on board-level involvement is a welcome addition. "Irrespective of industry, cybersecurity has become a key business initiative to protect customer data and trade secrets/proprietary information," he says.
The Board's Role
Shirley Inscoe, a fraud consultant at Aite, says regulators clearly are demanding more board involvement in cybersecurity and overall risk management.
"What really struck me is how much the role of board members has changed in recent years," Inscoe says. "With this latest venture into overall risk management responsibilities, it seems banks are again going to have to do a lot of education of board members. Directors cannot effectively perform their role without fully understanding it, and most bankers don't fully understand risk management as well as needed in today's environment."
Because of these new regulatory demands, Inscoe warns it will be more difficult for banking institutions to recruit and retain effective board members. "Most board members are savvy businessmen and women," she says. "But the high rate of data breaches demonstrates they cannot totally protect their own businesses. Perhaps people will seek roles on bank boards to obtain the necessary training to effectively manage risk in their own enterprises. That is a bit tongue-in-cheek, but there may be a grain of truth as well."
Still, regulators have an obligation to set guidance that ensures financial institutions maintain a strong cybersecurity framework, Litan says.
"Boards of directors and senior managers are not well-versed in cybersecurity and IT risk management and are actually looking for guidance - although not necessarily from the regulators - on how to proceed in managing these areas, which are outside their comfort zone and areas of expertise," she says.
The revised management booklet can help boards and executives clarify regulators' expectations, Litan asserts.
But Inscoe fears examiners could misinterpret some of the new expectations for risk management noted in the revised booklet. Quantitative measurements for risk management, as the revised booklet suggests, are not practical, she contends.
"With thousands of banks in our country, we probably don't have the bandwidth in risk expertise to successfully meet the examiners' expectations as they are laid out in the handbook," Inscoe says. "While this is a definite road the examiners need to go down, and they have done a great job of documenting expectations, it will be most interesting to see how they implement these requirements, and whether they begin assessing large fines to banks they feel are not fully compliant or that are making inadequate progress."
Cybersecurity: A New Regulatory Focus
Banking regulators have spearheaded a number of initiatives aimed at shoring up cybersecurity at institutions of all sizes.
In May 2014, the FFIEC announced plans for new cybersecurity assessments to be incorporated into the IT examination process. Then in July of last year, examiners launched a pilot program for cybersecurity examinations at 500 community banks and credit unions. The purpose of those exams was to help examiners gauge, in part, how well-versed boards of directors and the C-suite at those institutions were in cybersecurity and cyber-resilience.
This past June, the FFIEC released its Cyber Assessment Tool, designed to help institutions identity risks and weaknesses in their cybersecurity preparedness programs. The tool is expected to be used as part of the IT examination process in 2016.
Experts say new cybersecurity expectations will likely be included in all future FFIEC IT guidance.