Pub. 5 2016 Issue 6

T he Federal Reserve is currently working with the OCC and FDIC to create new minimum cybersecurity standards that banks must comply with. According to Bloomberg News , the effort by the three agencies has not yet been made public; but the move arises from a concern “that as digital breaches become more frequent and aggressive, an attack could cripple the entire financial system.” i A recent article in The Boston Globe disclosed that hackers gained access to a community bank’s network, installing malware that was directed not at the bank itself but at the Federal Reserve’s payment systems. Threats such as these, combined with many community banks’ apparent skepticism that they are not big enough to be targeted by an attacker, is motivating regulators to create mandatory minimum cybersecurity standards for all banks. Each of the agencies is now taking a more aggressive role on cybersecurity, with most Federal and State regulators publicly stating that cybersecurity risks are a bank’s number one risk, ahead of both credit and interest- rate risks. The FDIC announced on July 1 that its IT examinations will now be conducted using a new 60-page examination form that the FDIC just released in its FIL-43-2016. ii The FDIC’s new Information Technology Risk Examination (InTREx) Program is designed for examiners to fill out electronically and is effective July 1, 2016. Banks that have either the FRB or the OCC as primary Federal regulator would benefit from reviewing the FDIC’s newly-issued examination questions because there’s a strong possibility all three agencies’ IT exam programs will look a lot more alike than different after new mandatory cybersecurity standards are released. Reviewing the guidance will give all banks an opportunity to update procedures internally that otherwise could result in criticisms when examiners make their next visit. FRB, OCC AND FDIC ARE PREPARING NEW MANDATORY CYBERSECURITY STANDARDS; FDIC A nnounCeD n ew IT R Isk e xAmInATIon P RogRAm e FFeCTIve J uly 1 Impact on your CAMELS rating Now, FDIC examiners will be drilling deeper and will assign grades to the bank on each question. The exam form also allows examiners to add “comments” as part of each answer. Based on grades assigned to these separate questions, the FDIC will also be giving a bank overall and separate-component ratings at each IT exam. These will be included in the Risk Management Report of Examination and will impact your management rating in the CAMELS rating for your bank. Need for more lengthy explanations in responding to exception items Because the new exam form makes it easy for examiners to provide specific criticisms or “corrective suggestions” following each question; because exam questions will probe many specific points in more detail; and because the bank is separately graded for each question, there will also be a greater need for explaining exception items following future IT exams. You will need to know how to respond. Your next step With increasing standards for cybersecurity regulation, it’s even more important to have strong cybersecurity protections and to document and communicate to the examiners the board-level actions your bank is taking. What strategy will your bank use to prepare for the new examinations, and can you respond to these challenges with your current staff? By Charles Cheatham, SVP and general counsel, BankOnIT About the author: Charles Cheatham is general counsel at BankOnIT and previously served as general counsel for the Oklahoma Bankers Association. Charles is a graduate of Harvard Law School. For more information, visit www.bankonitusa.com, or contact solutions@bankonitusa.com . Resources: i http://www.bloomberg.com/news/articles/2016-07-08/bank-cyber-attacks-said-to-prompt-fed-to-prepare-new-safeguards ii https://www.fdic.gov/news/news/financial/2016/fil16043a.pdf