Pub. 6 2017 Issue 1

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 18 NEW YEAR’S RESOLUTIONS FOR GETTING THE BEST POSSIBLE EXAM RESULTS By Charles Cheatham , SVP & General Counsel, BankOnIT Happy New Year! Reflecting on 2016, you likely heard more about technol - ogy and used more technology in your everyday life than ever before. You also learned more about technology threats. You, your bank or a bank client may have been the victim of ransomware, a type of cybersecurity attack that locks up your computer or data files. Technology threats such as these are becoming more prevalent, as there was a 600% growth in ransomware during the first half of 2016, with over 56,000 ransomware events in March of 2016 alone. And, only 47% of ransomware victims were able to recover all of their data.i It’s also one reason why the FDIC, OCC and Federal Reserve are asking banks during their examinations what strategies the bank is utilizing to monitor and manage expanding technolo - gy risks. In looking forward to 2017, here are a few suggestions on what you can do to reduce the regulatory, legal and reputa- tional risks you face from technology threats. 1. Doing what you have done in the past won’t get you the same IT exam results in the future. In a recent discussion, a banking regulator commented that just because a bank received a 1 on its last IT examination does not mean the bank will get a 1 on its next exam. The reason why is that risks have grown and changed. You must continuously adapt to effectively address new risks. 2. Is the board actively managing information tech- nology risks? Your bank’s board manages credit risk, interest rate risk and liquidity risk, but they should also be just as active in managing technology risks. Regulators expect your board to manage the technology risks directors are accepting for the bank. If you can’t show that is happening, your IT exam results will be worse. Having the board actively involved in managing technology can also reduce legal risk. 3. Do you have an active IT Committee? Your examiners are going to be concerned if your bank does not have an ac- tive IT committee that documents regularly held discussions on technology and technology risk. The reason why is that to- day nearly everything in the bank is impacted by technology, and without having a process to document what is occurring, it is difficult for management and the board to monitor and manage your technology risks. 4. Are you effectively connecting bank board objec- tives, bank employees and technology in a seam- less manner? It can be challenging to accomplish. For example, most every bank board has a very strong commitment to BSA/AML regulations and every bank employee likely understands how critical it is to report Currency Transaction Reports (CTR) and Suspicious Activity Report (SAR) filings accurately and timely (due in part to the civil money penalties that can apply if it is not done correctly). But, are your board members and bank staff aware that certain cybersecurity events require filing of a SAR? And, is your technical staff collecting the technical details needed to provide in the SAR filing? Good communication across the entire bank about strategic goals, cybersecurity and regulatory issues is very necessary to satisfy regulatory require- ments. Banks face expanding technology risks that result in more regulatory, reputational and legal risks than ever before. This is not something that your bank can simply wait to respond to. Bank regulators expect to see planning and proactive management addressing this new risk environ- ment. As a result, you must continuously evaluate the strategies, systems and people your bank is relying on to protect against not only emerging cyber threats but also the related risks these threats. Source:i https://www.fincen.gov/sites/default/files/shared/FAQ_Cy- ber_Threats_508_FINAL.PDF Charles Cheatham is Senior Vice President and General Counsel at BankOnIT. He has more than 30 years of experience providing legal services and advice to bankers. Prior to joining BankOnIT he served as vice president and general counsel of the Oklahoma Bankers Association and was previously a partner at McAfee & Taft, the largest law firm in Oklahoma. Charles is a graduate of Harvard Law School.