Policymakers Preach Cybersecurity. Are Bankers Listening?

WASHINGTON — Regulators are paying increasing attention to cyberthreats facing financial institutions, but many bankers are only just beginning to wake up to the warnings after spending years focused on credit quality and other issues.

In recent weeks, Treasury Secretary Jack Lew and bank regulators have been sounding the alarms about cybersecurity. The Office of the Comptroller of the Currency in particular has been meeting with bankers, the media and other agencies to warn of the threat from cyberattacks.

Though the regulators have not gone so far as to say banks have inadequate cybersecurity systems, some bankers argue many small and midsize institutions have paid too little attention to the issue.

"My sense is the regulators are ahead of the curve on this issue," said Eddy Arriola, chairman of the $244 million-asset Apollo Bank in Miami. "Our bank has made this a priority and there are other progressive banks out there," but among "the 6,500 community banks across the country, I bet that not enough of them are taking this serious enough."

Arriola said he attended a banker conference several weeks ago in Florida where an OCC representative talked about the importance of cybersecurity.

"I heard people in the audience say, 'Well, that's a [big bank] issue, they're not going to attack my little bank.' … [or] 'It's just another added cost, another compliance issue,'" he said. But "they [hackers] can, they want to and you have the money."

When asked what's driving the increased regulatory concern about cybersecurity, OCC officials said they have noted that cyberthreats have increased and become more sophisticated in recent years.

"It's really not a response to one particular event. It's really just an understanding this is a growing trend," said Valerie Abend, the OCC's critical infrastructure officer, during a call with reporters after hosting a cybersecurity webinar with community bankers on June 11. "We want to make sure we're doing everything we can to raise awareness across all size institutions."

Much of the attention was brought on after some larger banks fought off distributed denial of service attacks that could shut down their online and mobile banking systems.

The OCC and the Federal Reserve have repeatedly cautioned bankers about the potential for such attacks.

Lew also revealed recently that Treasury had met privately with financial institutions to discuss the issue. He urged business leaders to back legislation that would allow companies to exchange information with the government without increasing their legal liability.

"We need to make sure our rules and regulations have kept pace with the times," Lew said in a speech. "We need Congress to update federal agency network security laws, create a national data breach reporting requirement that clearly establishes a single compliance standard for all companies, and to make sure law enforcement is given other tools necessary to fight crime in a digital age."

Federal bank regulators have also been jointly reviewing their own policies and practices on cybersecurity.

"We continue to share insight on a multitude of interagency working groups that we're on, to be able to make sure that we are sending the appropriate messages to the industry and to make sure that they can be as prepared as possible," said Carolyn DuChene, the OCC's deputy comptroller of operational risk, in a conference call with reporters June 18. "There's is a great deal of information-sharing, collaboration and coordination between the agencies."

In its risk-perspective report released in mid-June, the OCC listed cybersecurity as one of the top threats to banks in the first half of the year. Regulators are seeking to ensure that bankers have integrated cybersecurity systems into their operations, but many institutions, particularly smaller banks, have yet to face a full-blown attack.

Many bankers think "the worst that can happen for a bank is just to have asset-quality issues" or anti-money-laundering issues, Arriola said. "Those are things you can have control over but this [cyberattack] is something you don't have control over. You don't know what they're inventing next — it's like terrorism."

But regulators have stopped short of saying that bankers are unprepared.

"Our institutions are well prepared and continue to make necessary adjustments to be vigilant so that they can identify, prevent, mitigate and respond to any type of attacks," DuChene said.

Still, regulators remain worried that cyberthreats largely targeted at megabanks could potentially migrate to midsize and community institutions.

Smaller banks mostly outsource their core processing functions to a third party, yet that also has created concerns for regulators because if one processor is hacked, it could allow a hacker access to multiple institutions.

"With a bigger institution, if they are breached it affects only them but if the processor gets affected, it would affect several banks," said Lilly Thomas, vice president and regulatory counsel at the Independent Community Bankers of America. "So both the bank and their processor need to make sure they keep up with all the new threats."

Though DuChene said banks are well equipped, she acknowledged that the most secure systems still depend on humans, who can pose the biggest risk.

"Sometimes, the weakest link in the security chain is the human element, so we continue to focus on making sure there is a heightened awareness to the culture of security within the institution," she said. "That involves a heightened awareness and heightened training that they do within their institution, many of which can be fairly low cost and very effective."

Unlike other new pushes by regulators, this one does not appear to be engendering much resistance, as many bankers recognize that cybersecurity is to protect their customers and their reputations.

"We're more mindful in how to provide appropriate tools to customers to protect themselves," said Doug Johnson, vice president of risk management at the American Bankers Association.

Johnson also argued that most bankers are rapidly getting up to speed on the subject, with some going so far as to provide information to customers on how they can protect themselves outside of their banking relationship.

"What financial institutions have found is that they do have just as much success discussing security with their retail or small-business customer as they have discussing investments with the investment community," he said. Banks "really should look at Internet channels as ways to enhance protections for the entire system."

It's unclear what steps regulators may take next. When asked if any cybersecurity rulemaking is forthcoming, DuChene said regulators were thinking "not in terms of regulations."

What's more likely is that a bank could be cited for a weak cybersecurity system as part of its overall operational risk review or a failure to its vendors' digital defenses are current.

For now, all parties agreed that the regulators are taking the right first step by reaching out to bankers through webinars and meetings rather than rulemakings or enforcement actions.

"One of issues that banks have had in past was when the regulators were slow to move on something, then they'd create a new rule and then say, 'On your next exam we're enforcing all of these rules'," Arriola said. In this case, "the regulators are having an open conversation … and saying, 'We may or may not make a rule about it but get on it,' and that's something they should be doing as opposed to setting a rule and enforcing it retroactively."

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology
MORE FROM AMERICAN BANKER