On November 7, 2014, before the 10th Annual Community Bankers Symposium in Chicago, Comptroller of the Currency Thomas Curry discussed efforts to enhance
cybersecurity among community banks. In addition to emphasizing the need for improved cybersecurity at all financial institutions, Comptroller Curry noted
that the burden of cybersecurity falls especially hard upon community banks. To mitigate cybercrime risks, the Office of the Comptroller of the Currency
(OCC) and other bank regulators have provided a number of resources to financial institutions. Comptroller Curry’s speech highlights those resources and
provides a game plan for cybersecurity at community banks.
Given that community banks don’t have the same kinds of support to fight cybercrime as large financial institutions do, community banks should take
advantage of all the resources available to them. Comptroller Curry noted support provided by the Financial Services Information Sharing and Analysis
Center (FS-ISAC) and the Federal Financial Institutions Examination Council (FFIEC). The FS-ISAC is a private-sector nonprofit information-sharing forum
established by financial services industry participants in response to the federal government’s efforts to facilitate the public and private sectors’
sharing of physical and cybersecurity threat and vulnerability information. FS-ISAC helps community banks by providing an information-sharing platform where
industry experts can verify and analyze the threat and identify any recommended solutions. FS-ISAC enables community banks with limited resources to access
current solutions and best practices to guard against known and emerging cyberthreats.
FFIEC recently launched a cybersecurity awareness initiative that includes important resources for community banks. Comptroller Curry highlighted FFIEC’s
May 7, 2014, webinar for community banks on cybersecurity, alerts on the “Heartbleed” and “Shellshock” vulnerabilities, and statements addressing
cyberattacks on automated teller machines, among other resources. During the summer of 2014, FFIEC conducted a cybersecurity examination work program
(Cybersecurity Assessment) at more than 500 community banks intended to evaluate their preparedness to mitigate cyberrisks. On November 3, 2014, FFIEC
published its general observations of the Cybersecurity Assessment and issued a cybersecurity threat and vulnerability statement encouraging financial
institutions of all sizes to join FS-ISAC.
Understanding Inherent Risks
OCC Comptroller Curry stressed the importance for community bank boards of directors and management to understand the inherent risks to cybersecurity and
vulnerabilities as important tools for improving cybersecurity. As noted in its general observations of the Cybersecurity Assessment, FFIEC suggested that
chief executive officers and boards of directors ask the right questions to better understand the type, volume and complexity of operational
considerations, such as connection types, products and services offered, and technologies used. In addition to understanding inherent risks, community
banks should routinely discuss known and emerging cyberthreats (with assistance from FS-ISAC), and review the institution’s current practices and overall
preparedness, by focusing on the following:
Risk management and oversight
Threat intelligence and collaboration
External dependency management
Cyberincident management and resilience
Third-party service providers are important to all financial institutions, but are of particular importance to community banks. Third-party relationships
are a significant area of concern due to the large amount of sensitive bank and customer data associated with them. Given the reputational risks due to
data privacy breaches, Comptroller Curry reminded community banks that they must manage third-party risk by adopting appropriate risk management processes.
A community bank’s risk management processes should be commensurate with the level of risk and complexity of its third-party relationships and should
ensure comprehensive risk management and oversight of third-party relationships involving critical activities. When adopting risk management processes,
community banks should review OCC Bulletin 2013-29 for guidance on
assessing and managing risks associated with third-party relationships.
Implementing the Game Plan
Chief executive officers and boards of directors of community banks should use the resources provided by FFIEC and FS-ISAC to understand cyberthreats and
third-party risks by asking the right questions regarding their institutions’ cybersecurity preparedness. After analyzing the inherent risks, a community
bank should adopt a strong risk-governance framework that includes cybersecurity as a major component, along with operational risk and compliance risk. The
risk governance framework should be commensurate with the institution’s size, complexity and risk profile. When designing a risk-governance framework that
addresses Comptroller Curry’s cybersecurity suggestions, a community bank should:
- develop a comprehensive strategic plan and written statement for cybersecurity risk management to be approved by the board of directors or the board’s
- assign well-defined roles and responsibilities for implementing the cybersecurity risk governance framework that includes the board of directors, chief
executive officer, chief risk officer, front line units, independent risk management and internal audit;
- establish and adhere to written policies and procedures that mitigate cybersecurity and third-party vendor relationship risks by implementing an
effective third-party risk management process that addresses critical activities throughout the life cycle of third-party relationships; and
- review and update the risk governance framework as needed to address emerging risks, strategic plans and banking agency guidance.
Given the complexity and risks associated with bank regulation, community banks implementing a game plan based on Comptroller Curry’s remarks should review
the resources available on FFIEC’s Cybersecurity awareness web page and other materials provided by the OCC and other regulators. Please contact one of the
authors or your regular McGuireWoods lawyer with any questions regarding Comptroller Curry’s recent statements or data privacy and cybersecurity for
community banks. For more information, see the FFIEC’s Cybersecurity awareness web page or read an
online version of Comptroller Curry’s speech.
The FFIEC cybsecurity observations are also discussed in a recent post on
Password Protected, a McGuireWoods blog dedicated to current data privacy
and security news and trends. Subscribe to the blog to receive timely updates
via e-mail, Twitter or RSS feed.