Pub. 7 2018 Issue 8

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 18 CYBERSECURITY THREATS: WHAT IS THE REGULATORY IMPACT? By: Sara Nielsen, Senior Vice President, BankOnITUSA A s cybersecurity threats continue to increase, your bank’s regulatory risk grows as well. Regulators recognize that rapid changes in technology are introducing more risks to banks than ever before. A majority of bankers expect they will suffer from a cybersecurity attack while also recognizing they are not fully prepared for an attack. Cybercriminals know this, and regulators know this, too. A reoccurring comment from regulators is that they want to see IT moved from the back room to the boardroom. What this statement means is that technology risk management is the responsibility of the bank’s board of directors and the bank’s CEO. Regulators are concerned about the impact technology management (whether done well or done poorly) has on the overall safety and soundness of a financial institution and as a result are continuing to add more regulatory focus on banks’ use of technology. Cyber breaches, data loss, down time, disclosure of customer information and other events have a significant impact on the entire banking organization and represent reputational, legal, operational and financial risks. Weak technology risk management that does not include board and CEO involvement also creates regulatory risk. Although some banks experience a heightened regulatory focus in IT examinations due to a specific event, at many banks the heightened regulatory focus is simply because more is expected to address the higher technology risk environment in which we all operate. Given the significant impact that technology risks have on an organization and the substantial risk IT poses, regulators continue to consider ways to factor a bank’s IT rating into the management component of the CAMELS rating. This more comprehensive approach is being taken by regulators when assessing a bank’s IT program. Regulators are no longer reviewing a bank’s IT rating in isolation. Regulators are determining the impact the bank’s IT rating should have in assessing how effectively the board and CEO are protecting the organization from overall risk. A lack of board involvement and weak management of technology is more frequently resulting in regulatory enforcement actions and criticisms during IT examina- tions. As a component of the Management rating in the CAMELS rating system, this can adversely impact your bank’s strategic plans including hindering branch applications, mergers, acquisitions or other key initiatives. No regulator wants to be responsible for allowing a bank to expand when the bank’s oper- ational capabilities have been deemed to be lacking. Just as importantly, exam findings, a formal, or informal enforce- ment action, require significant internal resources to address and take management focus. Your bank may be subject to more frequent regulatory visits as well. A well-developed strategic plan for managing technology risk that is successfully executed throughout the organization will keep your bank and customers safe. Furthermore, an effective technology strategy and strong technology resources and partners will also ensure you are maintaining successful regulatory relationships that will support a favorable IT rating and help secure your ability to execute your strategic initiatives. For more information about a technology partner who can help your bank put IT management back in the boardroom, contact BankOnIT at 800-498-8877, option 2, or solutions@bankonitusa.com . About the Author: Sara Nielsen is senior vice president at BankOnIT. Sara has served on the management team for a multibillion dollar asset sized bank, and prior to joining BankOnIT, she worked over 13 years for the Federal Reserve Bank of Kansas City as a manager in the financial institution Examinations and Inspections Department with responsibility for overseeing the Reserve Bank’s Information Technology Examination Program.