On November 7, 2014, before the 10th Annual Community Bankers Symposium in Chicago, Comptroller of the Currency Thomas Curry discussed efforts to enhance cybersecurity among community banks. In addition to emphasizing the need for improved cybersecurity at all financial institutions, Comptroller Curry noted that the burden of cybersecurity falls especially hard upon community banks. To mitigate cybercrime risks, the Office of the Comptroller of the Currency (OCC) and other bank regulators have provided a number of resources to financial institutions. Comptroller Curry’s speech highlights those resources and provides a game plan for cybersecurity at community banks.
Given that community banks don’t have the same kinds of support to fight cybercrime as large financial institutions do, community banks should take advantage of all the resources available to them. Comptroller Curry noted support provided by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Federal Financial Institutions Examination Council (FFIEC). The FS-ISAC is a private-sector nonprofit information-sharing forum established by financial services industry participants in response to the federal government’s efforts to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. FS-ISAC helps community banks by providing an information-sharing platform where industry experts can verify and analyze the threat and identify any recommended solutions. FS-ISAC enables community banks with limited resources to access current solutions and best practices to guard against known and emerging cyberthreats.
FFIEC recently launched a cybersecurity awareness initiative that includes important resources for community banks. Comptroller Curry highlighted FFIEC’s May 7, 2014, webinar for community banks on cybersecurity, alerts on the “Heartbleed” and “Shellshock” vulnerabilities, and statements addressing cyberattacks on automated teller machines, among other resources. During the summer of 2014, FFIEC conducted a cybersecurity examination work program (Cybersecurity Assessment) at more than 500 community banks intended to evaluate their preparedness to mitigate cyberrisks. On November 3, 2014, FFIEC published its general observations of the Cybersecurity Assessment and issued a cybersecurity threat and vulnerability statement encouraging financial institutions of all sizes to join FS-ISAC.
Understanding Inherent Risks
OCC Comptroller Curry stressed the importance for community bank boards of directors and management to understand the inherent risks to cybersecurity and vulnerabilities as important tools for improving cybersecurity. As noted in its general observations of the Cybersecurity Assessment, FFIEC suggested that chief executive officers and boards of directors ask the right questions to better understand the type, volume and complexity of operational considerations, such as connection types, products and services offered, and technologies used. In addition to understanding inherent risks, community banks should routinely discuss known and emerging cyberthreats (with assistance from FS-ISAC), and review the institution’s current practices and overall preparedness, by focusing on the following:
- Risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyberincident management and resilience
Third-party service providers are important to all financial institutions, but are of particular importance to community banks. Third-party relationships are a significant area of concern due to the large amount of sensitive bank and customer data associated with them. Given the reputational risks due to data privacy breaches, Comptroller Curry reminded community banks that they must manage third-party risk by adopting appropriate risk management processes. A community bank’s risk management processes should be commensurate with the level of risk and complexity of its third-party relationships and should ensure comprehensive risk management and oversight of third-party relationships involving critical activities. When adopting risk management processes, community banks should review OCC Bulletin 2013-29 for guidance on assessing and managing risks associated with third-party relationships.
Implementing the Game Plan
Chief executive officers and boards of directors of community banks should use the resources provided by FFIEC and FS-ISAC to understand cyberthreats and third-party risks by asking the right questions regarding their institutions’ cybersecurity preparedness. After analyzing the inherent risks, a community bank should adopt a strong risk-governance framework that includes cybersecurity as a major component, along with operational risk and compliance risk. The risk governance framework should be commensurate with the institution’s size, complexity and risk profile. When designing a risk-governance framework that addresses Comptroller Curry’s cybersecurity suggestions, a community bank should:
- develop a comprehensive strategic plan and written statement for cybersecurity risk management to be approved by the board of directors or the board’s risk committee;
- assign well-defined roles and responsibilities for implementing the cybersecurity risk governance framework that includes the board of directors, chief executive officer, chief risk officer, front line units, independent risk management and internal audit;
- establish and adhere to written policies and procedures that mitigate cybersecurity and third-party vendor relationship risks by implementing an effective third-party risk management process that addresses critical activities throughout the life cycle of third-party relationships; and
- review and update the risk governance framework as needed to address emerging risks, strategic plans and banking agency guidance.
Given the complexity and risks associated with bank regulation, community banks implementing a game plan based on Comptroller Curry’s remarks should review the resources available on FFIEC’s Cybersecurity awareness web page and other materials provided by the OCC and other regulators. Please contact one of the authors or your regular McGuireWoods lawyer with any questions regarding Comptroller Curry’s recent statements or data privacy and cybersecurity for community banks. For more information, see the FFIEC’s Cybersecurity awareness web page or read an online version of Comptroller Curry’s speech.