Sifting Cyber Developments


ICBA represents community banks on the multi-faceted cybersecurity front

Cybersecurity and data security continue to be hot topics for community banks, both as a policy issue and as a daily operational reality. Consequently, ICBA is active in a wide range of cybersecurity and data security initiatives on behalf of community banks.

Independent Banker recently talked with Jeremy Dalpiaz, ICBA’s assistant vice president–cyber and data security policy, for a quick update.

IB: What’s on the regulatory horizon for cybersecurity for community banks?

Dalpiaz: In a nutshell, federal and state banking regulators are committed to ensuring the industry is responding to the ever-changing landscape of cybersecurity threats. To start, the Federal Financial Institutions Examination Council continues to be busy reviewing and updating its various examination booklets.

In 2015, the FFIEC revised its Management and Business Continuity booklets. This year, the council also updated its Retail Payments examination booklet as well as the Information Security booklet. We understand that more revisions are forthcoming to the E-Banking, Operations, Development and Acquisition, and Outsourcing Technology booklets, either later this year or early next year.

Many of the FFIEC’s updates reference the Cybersecurity Assessment Tool (CAT) issued last year. Speaking of the CAT, we have heard from member banks that examiners have asked if banks had completed the CAT prior to an in-person exam. While completion of the CAT is voluntary for an institution, it is part of the documents an examiner will complete while on-site.

IB: What is ICBA hearing about the CAT?

Dalpiaz: Many community bankers ICBA hears from are reporting that the examiners are engaging in meaningful conversations about the CAT. We also hear the opposite—that some examiners are not all that familiar with the CAT. For examiners who are or are not familiar with the CAT, the bank could seize the opportunity to talk about the positive aspects of their cybersecurity preparedness and educate examiners.

Certainly, we know that some improvements are needed—like removing the binary responses in the maturity model and having responses that more accurately reflect an institution’s competency with regard to a specific requirement. We have expressed these concerns with federal regulators. In fact, two industry comment letters were filed with the FFIEC shortly after the release of the CAT, of which ICBA coauthored. ICBA leadership community bankers also had the opportunity to express their comments directly to regulators last fall.

IB: What questions are community bankers asking about the exam survey?

Dalpiaz: The most common question I hear from our members is, will the CAT be updated? The best response I can give is, probably. The extent of that revision is yet to be determined, or what will be revised is also to be determined. ICBA certainly advocates for adjustments to the binary answers, as well as corrections to any mapping misalignments.

ICBA also does not want to see a large-scale revamping of the CAT. Simply put, most community banks have adjusted their practices and procedures and invested time and money into completing the CAT on a voluntary basis in preparation for examinations. A large-scale revamping would require an additional expenditure of funds that community banks could more appropriately allocate to preparedness rather than voluntary compliance costs! At the same time, ICBA is advocating community banks be permitted to use the tool, assessment or framework that best suits their needs.

IB: How has ICBA ensured that the
community bank voice is heard at the national level concerning cybersecurity and
data security?

Dalpiaz: ICBA is also working hard lobbying Congress to pass stronger data-security standards for all participants in the payments system. Community banks make consumers whole when a data breach occurs. Yet the retail industry isn’t held to the same high standards as community banks and other financial institutions in safeguarding customer information, even in instances when they are responsible for the data breach. That has to change.

ICBA is working diligently to persuade Congress to take action, but it is a difficult proposition. Congress is hesitant to weigh in because consumers are protected from harm, thanks to the banking system’s requirements. Bankers can certainly help by explaining to lawmakers what happens to a customer when their information is stolen or funds are fraudulently removed from their account and that it is unfair for banks to pick up the expenses related to another party’s negligence. Discussing this with members of Congress will raise their awareness and will complement ICBA’s efforts to obtain passage of a new law addressing this inequity.

IB: The various banking agencies have been busy on this issue, too.

Dalpiaz: Yes, certainly. Most importantly, as I mentioned, ICBA continues to advocate that banks be permitted to use whatever tool, assessment or framework best suits their needs. ICBA emphasizes that the cybersecurity readiness evaluation of community banks should realistically reflect the size and complexity of their operations.

It’s very important to community banks, for instance, that the National Institute of Science and Technology’s Cybersecurity Framework remains voluntary. Community banks must continue to have the flexibility to tailor their cybersecurity evaluations to the needs of the institutions.

IB: Other agencies have been involved as well.

Dalpiaz: Indeed. Earlier this year, the Justice and Homeland Security departments issued final guidance detailing how banks, and other private companies, could share cyberthreat indicators with the federal government and with each other. ICBA strongly supported legislation that made this possible. The law that Congress passed, the Cybersecurity Information Sharing Act, provides liability protections for community banks that share information with the federal government and with each other if certain requirements are met.

ICBA has published a summary of those guidelines, and they’re available on the association’s website.

While some community banks may not readily share information today, this new law provides protections when they do. For example, community banks that already share information through the Financial Services Information Sharing and Analysis Center (FS-ISAC) will not need to implement any changes to their current process. For existing FS-ISAC users, the act provides clarity of the legal protections provided to institutions that voluntarily share cyberthreat indicators and defensive measures. Greater information sharing will lead to a greater resiliency for the entire financial services sector.

ICBA is engaged on many fronts to ensure the community bank voice is heard and reflected, including as an active member of the FS-ISAC and the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC).

IB: What are FS-ISAC and FSSCC?

Dalpiaz: Great question. FSSCC consists of approximately 70 financial trade associations, financial utilities and the most critical financial firms. FSSCC partners with the public sector on policy issues concerning the resilience of the sector.

Over the years, the FSSCC built and maintains relationships with the U.S. Treasury and Homeland Security Departments, all the federal financial regulatory agencies and law enforcement agencies such as the Federal Bureau of Investigation and the U.S. Secret Service. Through these relationships, the FSSCC pursues initiatives designed to enhance the financial sector’s response to natural disasters, threats from terrorists, as well as cybersecurity threats and attacks.

As active members of FSSCC, ICBA regularly engages with regulators on policy matters of critical importance to community banks. We co-lead workgroups and actively participate in workgroups to provide specific deliverables. ICBA now has a seat on the FSSCC executive committee, which gives us a greater role in shaping FSSCC governance and activities.

FS-ISAC is a global center for sharing cyber- and physical-threat analysis. ICBA is a member of the FS-ISAC. The FS-ISAC shares threat and vulnerability information; conducts coordinated contingency planning exercises; manages rapid response communications for cyber and physical events; conducts education and training programs; and fosters collaborations with and among other key sectors and government agencies. ICBA is very active within FS-ISAC.

IB: What new cyber-related initiatives has ICBA recently undertaken?

Dalpiaz: ICBA is very active in the cybersecurity field—from advocating for stronger data security standards for all participants in the payments system before Congress to advocating for common-sense regulatory requirements before the banking regulators. We’ve also been involved in helping to ensure the entire financial sector is resilient against cyberattacks and other events through our involvement in public-private partnerships.

Community banks from across the country participated in a sector-level exercise at the Treasury Department, and ICBA was involved as well. ICBA also hosted an exercise to test communications protocols among government and private sectors. These exercises covered matters such as communications protocols, expectations of bankers during a crisis, and the role of both the federal government and private-sector entities.

Earlier this year, we helped lead a sector exercise specifically for community institutions. ICBA expects to be involved in more of these exercises going forward and will encourage community banks to participate in these and other regional exercises.

IB: What about the .bank domain? What’s ICBA’s involvement?

Dalpiaz: We’ve also been actively engaged with the new .bank domain, which is more secure than .com domains. As of July 31, 5,991 banks worldwide have .bank domains. That includes 2,594 U.S. banks. So far, 170 banks, mostly U.S. based, have converted to the .bank domain.

Recently, ICBA presented to a group of community banks some recent success stories of banks that had converted to the new domain.Those stories can be accessed at