FDIC's Gruenberg Details Regulatory Counterattack Against Hackers

Register now

WASHINGTON — The volume and types of online attacks against financial institutions have forced cybersecurity to the top of technology issues facing banks and regulators, the head of the Federal Deposit Insurance Corp. said Monday.

Speaking at American Banker's 4th Annual Regulatory Symposium, FDIC Chairman Martin Gruenberg said Internet threats are an "urgent" challenge for banks, and that regulators are in the process of assessing the readiness of both banks and the supervisory agencies to deal with attacks.

"In an increasingly interconnected banking environment, Internet cyberthreats are rapidly becoming the most urgent category of technological challenges facing our banks," he said. "The large number [of] and sophistication of cyberattacks directed at financial institutions in recent years does require a shift in thinking."

Bankers concurred with Gruenberg's call to arms, but community bankers said they need help in combating the problem.

Information technology "is so complicated now and most bankers are ill-equipped to deal with it," said H. McCall Wilson, Jr., the chief executive of the $339 million-asset Bank of Fayette County in Piperton, Tenn. "It is beyond our scope of knowledge. … It is still relatively new. It's not like credit that has been around for 2,000 years. This is something that has happened in the last 25 to 30 years.

They were quick to point out that vendors share the responsibility of protecting the banking system and its customers.

"It is a bigger issue for core-service providers," said Jill Castilla, CEO of the $252 million-asset Citizens Bank of Edmond in Oklahoma. "They've got to step it up."

Gruenberg named cybersecurity among three concerns facing the industry as banks make the transition into a period of stronger growth and increased lending. The other two are continued risks posed by a changing interest rate environment, and the need for prudent underwriting and risk management despite temptations to cut corners as loan demand rises.

He also said bank regulators are nearly finished with a rule requiring securitizers to keep some credit risk of loans sold to investors.

Dealing with all these challenges demands long-term thinking, Gruenberg stressed.

"New opportunities lie ahead, for small banks and large banks alike, and it is important to the economy for the institutions to take advantage of these opportunities. But in realizing those opportunities, it is also important for bankers and supervisors to heed the lessons of the recent crisis and previous crises," Gruenberg said. "Of these, the most important is that success or failure is not determined in the current quarter or the current year.

"The banks that have best served their shareholders and their communities over time are those that have taken the long view, and have made risk management an essential part of their culture," Gruenberg said. "Attention to prudent risk management is what helped most FDIC-insured institutions to get through the recent crisis, and to recover quickly even in a challenging post-crisis environment."

The bank regulators' focus on cybersecurity has largely been driven by an interagency working group within the Federal Financial Institutions Examination Council. It seeks to develop joint regulatory standards.

Gruenberg said that the working group has established a framework for conducting information-technology exams at banks, and is in the process of carrying out an assessment of the industry's preparedness for online attacks. Earlier this year the FFIEC announced it was piloting cybersecurity assessments within the normal exams for 500 community banks.

He indicated the group is developing a report that will include "a self-assessment of regulatory practices to ensure that our own guidance and response capabilities are up to date."

The FDIC has taken its own steps, Gruenberg said, including an online simulation exercise — called the "Cyber Challenge" — to help community banks measure their own readiness. The agency has also released standards on how third-party technology service providers inform banks about operational threats, and on what a bank should do when a problem has been identified at a service provider.

But despite the new threat, Gruenberg said, many of the concerns facing banks related to cybersecurity are "are really not all that new."

"New technologies are forcing us to think differently about familiar categories of operational risk," he said. "For years, banks have been developing their capabilities in business continuity, typically as it relates to natural disasters and other physical threats. Today, business continuity increasingly means preserving the ability to maintain access to customer data and to consistently ensure the integrity and security of that data. For this reason, we encourage banks to practice responding to cyberthreats as part of their regular disaster planning and business-continuity exercises."

James Cornelsen, CEO of the $1.2 billion-asset Old Line Bancshares in Bowie, Md., said during a panel at the conference that he has dealt with nearly a half dozen attacks in his career. A good defense requires hard work, constant vigilance and plenty of investment, he said.

"It is a big issue, and the snowball is rolling downhill," Cornelsen said. "You make a lock until somebody breaks it then you make a better lock until somebody breaks that. … It's spending a lot of money on infrastructure and software. It takes a lot of development within our economy and industry to come along with that."

In addition to cybersecurity, Gruenberg's remarks also touched on continued concerns about interest rate risk, and how banks should avoid credit-related problems from the recent uptick in loan portfolios. During a question-and-answer session following his main remarks, the FDIC chairman also signaled that regulators are close to completing the long process of writing risk-retention standards.

The risk-retention rule — mandated by the Dodd-Frank Act — will lay out how securitizers keep a 5% credit piece and define the new class of "qualified residential" mortgages, which are exempt from the retention standard.

"I do think we're at the endgame on this," Gruenberg said of the rule.

On interest rate risk, he said the extended period of historically low rates will inevitably end, heightening concerns about how banks manage the transition to a higher rate environment.

"An upward shift in the yield curve is inevitable; the only remaining questions are when, and by how much," Gruenberg said. "Already, the upward shift in the long end of the yield curve in 2013 has had a significant effect on mortgage-origination activity, particularly curtailing the refinancing of existing mortgages."

Meanwhile, as recent data show that 75% of banks had higher loan balances in the second quarter, Gruenberg said a focus on risk management is as important as ever. He emphasized two credit-related risks in particular: the management of loan concentrations at community banks, and underwriting concerns from large leveraged loans at big banks.

"We welcome this recovery in the overall pace of lending as a sign that our banking system is once again in a position to carry out its critical role in making sound loans to creditworthy borrowers. Nonetheless, the return to more active lending requires bankers and supervisors to renew their focus on sound principles of loan underwriting and the management of loan concentrations," he said.

"Our examiners complete an underwriting survey at the conclusion of every bank exam. In the big picture, their responses do not reveal widespread or significant concerns about loan underwriting at this time. But competitive pressures are real, and may be growing. So this is the time that adherence to sound underwriting policies is the most important."

On leveraged lending, Gruenberg said regulators are monitoring large increases of loans to corporate borrowers that have "a degree of financial or operating leverage that often far exceeds industry norms."

"The FDIC and other banking agencies continue to be concerned about aggressive leveraged lending activities, as many of the more recent transactions have been characterized by high debt-service loads, weak protective covenants, and a lack of amortization," he said.

Jackie Stewart contributed to this article.

For reprint and licensing requests for this article, click here.