Cyber Risk Tool Now 'Voluntary' in Name Only, Banks Fear

WASHINGTON — A cybersecurity assessment tool designed to help bankers bolster their defenses against hackers and other cybercriminals is continuing to sow confusion among bankers, with some arguing it is effectively imposing tougher standards on the industry.

Since its release in June by the Federal Financial Institutions Examination Council, regulators have insisted the tool is purely voluntary. But some state regulators have strongly urged banks to incorporate it into their risk and preparedness self-evaluations, feeding concerns that the guidelines are mandatory in all but name.

"Everybody understands there's sort of quotes around voluntary," said Kevin Petrasic, a banking industry lawyer and former official at the Office of Thrift Supervision. "The last thing you want to have is a warning shot fired by the examiner that the bank doesn't heed."

A September notice by the Texas Department of Banking encouraged banks to use the tool "as it is the only methodology specifically designed for the banking industry." The state's examiners will be reviewing "completed cybersecurity assessments" starting this year, according to the letter.

Within a few weeks, Massachusetts's Division of Banks and Maine's Department of Professional and Financial Regulation both issued similarly worded statements.

Bankers further worry that some influential states might be leading the way on tougher cybersecurity standards, prompting others to follow suit, whether or not they possess enough resources to enforce those measures.

In November, the New York State Department of Financial Services sent a letter to federal and state agencies calling for "regulatory convergence … on new, strong cyber security standards for financial institutions." The agency also proposed imposing specific new requirements on New York-chartered banks, including multifactor authentication and annual vulnerability assessments.

"Whatever New York does will have a ripple effect," said Lynne Barr, a partner in Goodwin Procter's financial institutions group.

But that could be a bad thing, she argued.

"I don't think by and large that states have the expertise or the resources to really be on top of cybersecurity threats the way that central regulators do," Barr said.

The tool is made up of two parts. The first measures an institution's "inherent risk profile" and the second helps determine its "cybersecurity maturity" to describe how advanced its cyberdefenses are. The regulators expect that as an institution's risk profile increases, so will its maturity level.

It was drawn in part from exam protocol. For companies at the "baseline" risk level, the guidelines are derived from requirements contained in FFIEC examiners' IT handbook.

This has fueled concerns that the tool might be used in examinations, either formally or as an additional resource for examiners.

But regulators have reiterated that the tool, which was initially piloted among more than 500 community banks, is meant to be used only on a voluntary basis by banks that want to assess their cybersecurity preparedness more holistically.

In a request for public comment, the Officer of the Comptroller of the Currency noted that the regulatory agencies are "educating examiners on the voluntary nature" of the tool, including in examiner training material.

"However, if a financial institution has completed an assessment [using the tool], examiners may ask the financial institution for a copy, as they would for any risk self-assessment performed by the financial institution," the OCC added.

Yet how regulators use the tool varies among agencies.

While the OCC has said that it plans to "gradually incorporate" it into its examination procedure, the Federal Deposit Insurance Corp. has only instructed its advisors to "discuss" the tool with managers.

It "is a voluntary tool," said Mary Beth Quist, senior vice president of bank supervision at the Conference of State Bank Supervisors. "Each agency is using it in their examination process as appropriate."

Quist added that the guidelines are not meant to be set in stone. "The FFIEC is committed to evaluate feedback that comes in and keep the tool updated," she said.

Large banks that are typically more advanced in their cybersecurity practice have expressed different concerns about the tool. They are asking for more conformity between it and guidelines directed at firms in other industries.

The FFIEC tool reproduces in part the National Institute of Standards and Technology cybersecurity framework, and was developed with input from NIST experts. But banks argue that differences between the two sets of guidelines could create a rift in cybersecurity standards between the financial industry and companies that service it.

By creating a closer mapping of the FFIEC to the NIST framework, regulators could "ensure that our critical third-party providers adhere to the same cybersecurity requirements as we do," said Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association.

"Think of it as ornaments on a Christmas tree. The Christmas tree has a level of stability to it, but individual sectors have different ornaments," Johnson said. "So that we have as much commonality as possible as opposed to have complete disparity."

Credit unions, on the other hand, are showing preference for the FFIEC's tool over the NIST framework. In a Feb. 3 letter to NIST, the National Association of Federal Credit Unions urged the agency to "maintain the voluntary structure" of the framework. The credit union group encouraged the NIST to "carefully study the framework adopted in the [FFIEC cybersecurity assessment tool] and ensure that the revised NIST framework follow a similar approach."