Reading IT Tea Leaves


What joint-agency pilot data security exams may tell about future information security regulation

By Kelly Pike

In a world of hacktivists and state-sponsored cyberattacks, the cybersecurity threats facing community banks are evolving at a breakneck pace. From unauthorized wire transfers to denial-of-service attacks against websites, online crooks pose both financial and reputational risks to community banks. And regulators are invested in preventing them.

But to know where community bankers—and the regulators themselves—are falling short requires inside intelligence. That’s why the Federal Financial Institutions Examination Council and its member agencies conducted pilot IT security exams at 500 community financial institutions this summer. The goal of the exams was to assess how vulnerable institutions, including community banks, might be to cyberattacks and the effectiveness of their current risk and mitigations processes. They also served as a regulatory self-assessment to find gaps in guidance and examiner training.

“Based on what we find in the self-assessment, we’ll determine what, if any, next steps are needed to address gaps in FFIEC processes, policy and examiner training,” says Valerie Abend, senior critical infrastructure officer at the Office of the Comptroller of the Currency and chairman of an FFIEC committee coordinating the joint-financial agency cybersecurity pilot exams.

Regulators are quick to point out that the pilot exams were designed to supplement existing examinations and guidance, not impose new expectations. They did not impact CAMELS ratings for the banks and credit unions involved, but they may impact future guidance and procedures as the agencies spend the months after the exams pulling together and analyzing all the data. It’s too early for them to share what the next steps might be, they say.

But if feedback from IT experts and a community bank that underwent a- pilot exam are any indication, it looks like regulators are most interested in a top-down culture that emphasizes incident response plans, information sharing and vendor management.

Why now?

Cybersecurity moved to the regulatory forefront after President Obama issued an executive order on cybersecurity in February 2013—and attacks continue at institutions of all sizes.

Consider recent headlines. Last year hackers raised the limit on 12 accounts from the Bank of Muscat in Oman and reaped $40 million in a worldwide ATM cash-out fraud in less than 24 hours. In April the FFIEC sent out an alert about the Heartbleed bug, a software vulnerability that could let fraudsters steal passwords and other sensitive data. The same month the FFIEC released statements on distributed-denial-of-service attacks against website and ATM cash-out fraud.

“The exams are a response to the increasingly global cybersecurity dynamic.”
—Cary Whaley, ICBA’s technology policy expert

“The exams are a response to the increasingly global cybersecurity dynamic,” observes Cary Whaley, ICBA’s vice president, payments and technology policy. “Five years ago we were talking about guys in tennis shoes with hoodies who were hackers right out of college. Now we’re talking about people with briefcases who are international. They go to work every day to defraud you and break into various companies networks.”

The FFIEC describes its pilot exams as assessing practices in five areas: management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; and cyber-incident and risk management.

“It looks like the focus is on cyberthreat recognition, identification response and information sharing—things banks are expected to have in an IT security program,” says Amy McHugh, senior associate, IT consulting at CliftonLarsonAllen LLP, a consulting firm with dual headquarters in Milwaukee and Minneapolis. She is also a former FDIC IT examination analyst.

The pilot exams were accomplished with about 50 questions that expanded on current safety and soundness exam questions, according to one community bank examined. Some questions focused broadly on policies and processes, such as how and when cybersecurity incidents are reported to the board, processes for when an event occurs, and vendor management. Other questions were more technical and addressed firewalls, networks, logs and ongoing monitoring. Many asked for yes/no responses.

During the pilot exams, issues that would have been found during a normal exam process were cited in the exam report, says Abend, while things that went beyond existing guidance were discussed informally.

Tone from the top

The agencies have been emphasizing “tone from the top”—a security culture where both the board and senior management should be informed and engaged in cyber-risk management, especially the level of risk the institution faces. It was the subject of a webinar hosted by the FFIEC in May.

“What I’m seeing is that regulatory agencies are expecting board members and C-level management to develop their understanding of what’s actually going on in the bank regarding cybersecurity and information security in their bank,” McHugh says.

That means CEOs and the boards of directors need to understand their bank’s individual risk profile and develop risk management processes commensurate with its complexity, something addressed in February 2013 when the FFIEC issued a booklet with revised guidance for identifying information security risks and evaluating risk management practices.

“Part of our intent is to understand not only where they are [with cybersecurity resilience] but help them to continue to think about ways institutions can manage their risks as the threats evolve,” Abend says of the need for institutions to identify, monitor and mitigate risks, including those related to customer communications and payments.

Incident response

When it comes to mitigation, a solid incident response plan is a must.

“A really good incident response program was always a requirement, but there is really going to be a focus on having an incident response program to include specific threats, resources and activities similar to the testing of a disaster recovery plan,” McHugh says. “You want to show regulators you’re working on how to recognize an incident and the resources to share information about the incident.”

Part of that is having ways to detect anomalies, Whaley says. “If someone goes into a corporate customer’s account at 3 a.m. from a foreign location, creates 500 employees and tries to send each of them $9,999.99, a bank should be alerted and possibly able to block that transition.”

To help a bank develop or test its plans, McHugh recommends participating in the FDIC’s Cyber Challenge ( The challenge includes four scenarios banks can play through to discuss how they would address each incident. From identifying an event to knowing how to react to knowing when to inform regulators, law enforcement or customers, it gives the incidence response team a dry run. The Financial Services Information Sharing and Analysis Center (FS-ISAC), a member organization to which ICBA belongs, offers an annual challenge as well.

Information sharing

Just as important to planning for an event is being able to recognize one when it occurs. That’s why regulators are also looking at how banks are sharing information about IT security threats.

“I haven’t seen any specific requirements or minimum expected activities a financial institution is supposed to participate in,” McHugh says. “I always tell banks, start with peer groups like ICBA or FS-ISAC where you can be a member and feel comfortable sharing information with financial institutions in these groups.”

Staying on top of threats is paramount because as soon as a bank develops and adopts a particular set of controls, criminals take a different approach. Simply reading the newspaper isn’t enough, says Whaley. Entities like FS-ISAC can provide an early warning, technical insights into an attack and collective expertise. Any information shared is not attributed to any specific bank.

According to one community bank that went through the pilot, regulators seemed pleased when the bank participated in industry events. It can be as simple as taking notes and sharing them with the board. The bank also felt it would be useful to track major cybersecurity events—from the Heartbleed virus to new forms of website attacks and any new threats that emerge—and report to the board how the bank is prepared to deal with them.

Vendor management

The Target Corp. breach last December, where thieves stole 40 million credit and debit card numbers, continues to have ramifications. Criminals hacked into one of Target’s vendors, a Pittsburg-based refrigeration company, and got unfettered access to the chain’s internal network.

“Based on what we find in the self-assessment, we’ll determine what, if any, next steps are needed to address gaps in FFIEC processes, policy and examiner training.”
—Valerie Abend, federal regulator

“Third-party relationships are a point of vulnerability for institutions of all sizes,” says Abend, whose agency issued an updated guidance on the risks posed by third-party relationships in October 2013. “The FFIEC guidance on this topic is an important area that community institutions and all institutions need to focus on.”

FFIEC’s Cybersecurity Resources

Stay on top of cyberthreats and IT vulnerabilities, as well as the latest regulatory news, with the Federal Financial Institutions Examination Council’s cybersecurity webpage ( A central repository for all FFIEC-related materials on cybersecurity, it includes links to:

  • FFIEC IT Examination HandBook InfoBase. A collection of introductory, reference and educational training materials on topics of interest to field examiners—including cybersecurity.
  • Webinars. Includes the FFIEC’s May webinar and slides on the topic “What Today’s CEO Needs to Know About the Threats They Don’t See.”
  • Statements and alerts. From the Heartbleed bug to distributed-denial-of-service attacks against websites to ATM cyberattacks, get updates on major threats regulators expect community banks to address.
  • Other resources. Dig deeper into cybersecurity with recommended sites including the FBI and the Financial Services Information Sharing and Analysis Center.

“All the agencies have come in the last year with enhanced expectations for vendors—not just information security or information technology vendors,” McHugh says of the OCC and Federal Reserve guidances stating that banks can’t dismiss risk by outsourcing activities and must monitor the performance of vendors. “It’s any vendor a bank has.”
Agencies expect financial institutions to be able to identify every single third-party access point, McHugh says. Community banks should conduct a risk assessment for all of their vendors with access to customer information to know who is getting in, where they are getting in and if there are weak points.

McHugh suggests assigning a criticality rating for each vendor. Those with the most risk should be subjected to a higher level of oversight. The bank should have some way of monitoring provider activity.

But community banks shouldn’t expect vendors to share all their security plans, Whaley notes. “The more people who know about their tools, the more potential there is to ride around their tools,” he says. “You want to make sure tools are robust, but at the same time if they tell you precisely what they are doing, that’s not good either because that information can be intercepted.”

Some good news

As wary as community banks are about cyberthreats, there is also the wariness of new regulations adding to an already overwhelming regulatory burden. “Protecting bank and customer data is something community banks take extremely seriously,” Whaley says, “but we have to make sure in the process we don’t have regulatory burden.”
The good news is that at least one IT expert doesn’t see the pilot exams having a monumental impact on regulation.

“I don’t think there will be big changes at all,” McHugh offers. “If an institution has performed relatively well on a recent IT exam, a [score of] 2 or better … I don’t think it will have much of a problem.”

Kelly Pike is a freelance writer in Virginia.