WASHINGTON — Community banks and credit unions with inadequate programs to fight cyber risk may soon be hearing about it from their examiners.
The regulators' new cybersecurity assessments — now being piloted for over 500 community-sized institutions as part of regular safety and soundness exams — are meant largely to help authorities gauge cyber-risk readiness at smaller companies that lack the mega-resources available to the big banks.
But the new reviews appear to be more than academic. Officials say issues arising during an assessment may be identified in an institution's formal exam report.
"If we find issues, absolutely we are telling examiners that, based on the existing guidance, they need to inform management of the institution about where their program may be lacking," said Valerie Abend, senior critical infrastructure officer at the Office of the Comptroller of the Currency. "Where it is something that follows current policies, the finding will be part of the examination report."
Sources familiar with the situation say regulators may also identify deficiencies, through less formal communication, that go beyond existing guidance.
The Federal Financial Institutions Examination Council announced the assessments last month, and introduced them earlier this month for 500 institutions that were next up in the schedule of normal safety and soundness exams. This initial round of assessments is expected to last through mid-July. Whether additional community banks and credit unions will be included has not yet been decided.
Fears of financial cyberattacks — which have only worsened following high-profile incidents such as discovery of the Heartbleed Bug — tend to center more on the big-name banks. But with smaller institutions typically outsourcing their technology and security functions, regulators are increasingly directing attention to their readiness.
In addition to assessing "the complexity of an institution's operating environment," according to a summary on the FFIEC website, the review focuses on five key components of cybersecurity preparedness. They are: risk management, threat intelligence, cybersecurity controls, the reliance on external management and how the institution would manage a cyber incident.
(The FFIEC includes the OCC, Consumer Financial Protection Bureau, Federal Deposit Insurance Corp., Federal Reserve Board, National Credit Union Administration and a liaison committee of state regulators.)
Since the assessment will supplement a normal exam, examiners finding issues or concerns related to policies that violate current legal or regulatory guidance "will inform the institution and communicate necessary corrective action," the summary said. Yet, the FFIEC added, "the pilot Cybersecurity Assessment does not impose new expectations for institutions, nor will it result in any new examination rating."
Abend said the next steps in the process will be finalized after the initial round of reviews is completed.
"We're going to analyze the findings and then make a determination of how to leverage the information across our policy development and supervisory practices. There is a lot of focus on getting this right because of the cyber risks facing the industry," she said.
Many observers have welcomed the new effort, but some say it remains to be seen how the agencies will distinguish the new assessments from preexisting data security components of the safety and soundness exam.
"Our impression is" the assessments are "an exercise to help inform the supervisory and rulemaking process generally," said Doug Johnson, vice president for risk management policy at the American Bankers Association.
The process may result in "safety and soundness findings," but "those findings would have occurred independent of the assessments if there was a cybersecurity component of the standard exam," Johnson added. "It would have been uncovered in the standard examination process.
"We'll learn how the agencies are going to finesse these assessments as they relate to the standard data security component of the safety and soundness exam. We haven't really been given a full answer on that."
Cybersecurity experts said the assessments likely address the level of engagement and accountability of boards and senior-level experts as they relate to the institution's technology risk management. Some noted that the prevalence of small-market firms using third-party providers to handle information technology functions could lead some executives to believe, wrongly, that they have outsourced the risk.
"This is very focused on accountability for risks from the board on down," said Gary Owen, a director at Promontory Financial Group. "They can outsource the function, but part of that outsourcing would require that they have some transparency, visibility and understanding of how those risks are being managed. They still need to have a response plan if data is lost or a hacking event occurs."
Tom Layman, managing director at DD&F Consulting Group, said that for clients facing an assessment, he is recommending that banks' information technology committees prepare reports to brief corporate executives about the current cybersecurity landscape and the characteristics of recent breaches.
For example, he said, a report could include how the bank would have been affected and would have responded if it had been the victim of certain recent high-profile breaches, such as that recently announced by eBay.
He agreed there will be a focus on third-party vendors.
"If they outsource their webhosting, certainly the vendor that is being utilized needs to have a response plan in place … and the bank has a plan to respond to that sort of threat," Layman said.
Yet he said he doubts banks "should be worried about this cyber risk assessment.
"I certainly view it as a positive. … The threat landscape is changing and certainly banks do have to be prepared for a cyberincident," Layman said. "It's not out of the question for something like that to occur even at our community banks."