For the third year running, I have had the opportunity to participate in the Virginia Bankers Association’s Operations & Technology Conference, this year as part of the consolidated VBA Protect Conference, on the “What to Expect from your Regulators” panel. It’s always fun and interesting to forecast hot-button topics but as with any forward looking commentary, my predictions are limited to what we have encountered with our clients and what we can glean from guidance that has been released throughout the year. Those limitations certainly don’t prevent us from trying to recommend where you can spend your time and resources to adequately prepare for your next regulatory exam.
As I was preparing talking points for the “What to Expect” panel, a representative from the Federal Reserve Bank of Richmond spoke at a VBA CFO Round Table at our Richmond office about “Regulatory Hot Topics”. What a happy coincidence. So our update this year includes topics from the CFO Roundtable, various other banking industry conferences and presentations, the Risk Advisory Services’ own research, observations, conversations with clients, and gut instincts.
Information Technology continues to be a really hot area for examiners.
Over the course of about 12-18 months, the folks in the 5th district of the Fed identified twice as many IT related findings, by quantity, as any other area that was examined. The next highest area was the Management section. Two key reasons were identified for the high volume of IT related findings. First, the threat landscape surrounding IT changes very rapidly. Second was a lack of IT resources in many rural markets.
A majority of IT deficiencies were noted in the following areas: Weaknesses in the Information Security Program, Business Continuity/Disaster Recovery Planning, and core application and network security. More specifically, the ISP often contained incomplete or inaccurate risk assessments. Weak IT asset management practices ineffective board reporting have also contributed to exam findings.
High and emerging risk areas are consistent with the IT findings noted above. Information security remains a top priority whose impact touches almost every area of a bank and its customers. Weaknesses continue to exist in corporate governance, especially in IT. Regarding emerging risk areas specifically, FinTech companies are on the radar. FinTech companies and their products can either complement or compete with a bank. In fact, we are beginning to see core banking platforms architected on cloud platforms instead of on-premises or hosted platforms.
So what do these areas look like on a day-to-day, practical level in your banks? What are some tangible steps you can take today to ensure your institution is prepared for its next examination? Our prediction is that 2018 is the year cybersecurity hits the exam cycle very extensively. The FFIEC Cybersecurity Assessment Tool has been implemented for several years and all banks should be at Baseline. The cybersecurity threat poses a deep risk to the trust of the industry, and examiners are paying close attention to the quality of IT controls.
Governance of Cybersecurity and Information Security will be paramount.
The board of directors and board sub-committees (Enterprise Risk Committee, for example) know cybersecurity risk exists but often are unsure how to measure or control the risk. It is incumbent on IT and operations staff to be willing to educate senior management and the board on technology and cybersecurity threats to your institutions.
The cybersecurity program should start with an IT asset based risk assessment.
The basis of this document should be, how can you protect an asset that you don’t know you have? The process begins by identifying IT assets, the data on those systems, identifying threats and mitigating controls. This is not your GLBA or Information Security risk assessment.
Increasing frequency and quality of end user cybersecurity training.
Once per year IT training will no longer suffice. Many banks have moved to integrated training and phishing testing exercises, regular (monthly or quarterly) newsletters discussing emerging cybersecurity trends and discussion about where employees should be on the lookout for new threats.
Increasing the quality of information technology controls.
Examples of improving the quality of IT controls includes a more mature patch management process; one that deploys security patches in a timely manner, includes rescanning and remediation procedures for missed hosts, and accountability to an IT Steering committee or similar oversight body; stricter authentication requirements for remote access. Because it is a possible attack vector, most remote access should require multi-factor authentication. Finally, to strengthen the quality of IT and cybersecurity controls banks should begin investigating the use of next-generation security tools. For example, deploying a forensically sound baseline anti-malware tool instead of (or supplemental to) a signature based anti-malware solution will improve your cybersecurity posture.
Of course all of these hot button topics come nicely packaged with plenty of caveats. Every bank is different, the examining agency and the makeup of your exam team all contribute to the topics and depth with which they are covered during next IT exam. But one thing is for certain; your IT folks will be spending a lot of time with examiners this year.
Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.