RALEIGH, N.C. — Bankers here got a detailed reminder from their regulators to expect heavy scrutiny of cybersecurity measures in upcoming exams.
The reason is obvious: Cyberattacks are on the rise across the industry, with even small institutions falling prey to certain types of attacks, regulators said Tuesday during a panel discussion at a North Carolina Bankers Association conference.
Some community banks in Virginia recently reported cases of being attacked with ransomware after employees clicked a link in an email, said Chris Palumbo, assistant vice president of supervision, regulation and credit at the Federal Reserve Bank of Richmond. Ransomware is malicious software designed to block access to computer systems until money is paid to the attacker.
"Banks need to notify the Fed when hit with ransomware," Palumbo said to the roomful of bankers, adding that annual training for employees is also critical.
The Fed has also seen increased issues with network security and administration, along with instances where banks have contingency plans but are not testing them effectively, Palumbo said.
Those areas, along with reviews of patch management procedures, are likely to face review during regulatory examinations, panelists said.
In North Carolina, examiners are also checking to see if bankers are using cyberassessment tools provided by their regulators, said Ray Grace, the state's banking commissioner.
Cyberattacks are "an existential and immediate threat," Grace said. "Small banks are not immune. This is not just a big-bank problem."
While cybersecurity was a key topic of discussion, panelists also shared their thoughts on areas were smaller banks could find regulatory relief in coming months. To be sure, most panelists said relief could be minimal until the presidential election is held.
Still, banks with $1 billion or less in assets should expect to see shorter call reports, perhaps as soon as the first quarter of 2017. Talk centered on reducing the number of pages to 64, from 85 currently, and lowering the amount of reporting elements by up to 40%.
Palumbo and Matthew Weghorn, a senior examiner for the Office of the Comptroller of the Currency, also discussed efforts to do more off-site work, thus reducing the amount of time examiners spend inside the bank.
The OCC, meanwhile, is considering a plan that would let examiners skip over certain items during regular exams, depending on the risk file of a particular bank, Weghorn said. Those items would, instead, be covered in following exams.
The Fed is also looking at "risk scoping," where examiners spend more time focusing on areas of risk. That would also mean spending "less time on areas that have gone well," Palumbo said.