As many community banks rely more and more on data and third-party vendors, cybersecurity compliance is becoming a job not just for compliance officers, but for everyone.
By Mary Thorson Wright
Cybersecurity compliance is the responsibility of the chief information security officer (CISO) and the compliance officer, right? Well, yes and no. Managing the risk that comes with the rising reliance on data begins with a community bank’s security culture and the governance of its cybersecurity program.
“Community banking is built on trust and relationships. It’s good business to effectuate cyber risk policies and mitigate threats to protect customer and bank information and funds,” says Jeremy Dalpiaz, ICBA’s vice president of cyber and data security policy. “In our interconnected world, cybersecurity and today’s marketplace risks must be recognized in every line of business and operation. It belongs to everyone: the board of directors, mortgage lender, bank president, customer service representatives, vendors and so on.”
of respondents said integrating compliance management products from their core vendors was extremely easy or somewhat easy
The bank’s board of directors is responsible for providing the management structure; assigning responsibilities and authority; establishing policies, standards and procedures; allocating resources; and enforcing accountability. Integrating cybersecurity into all activities throughout their life cycles and enforcing a system of accountability for information security signals a strong culture.
Dalpiaz advocates for robust cybersecurity coordination to flow information into, out of and within the bank, using language that relates to the audience’s need for security awareness. How can the Bank Secrecy Act (BSA) and anti-money laundering (AML) officer best communicate with the CISO? How can the bank president ensure the directors understand cybersecurity issues and the ultimate risks?
Activities made on the bank’s behalf aren’t always internal. As community banks use the economies of scale and skill sets that vendors offer, risks can increase—a fact that doesn’t elude regulators. Dalpiaz says a strong cybersecurity program includes a robust vendor selection process and ongoing due diligence. Each of the regulators has guidelines for vendor management, and he encourages community banks to review them and to use ICBA’s Core Processor Resource Guide.
Training on general risks and those identified as potential or actual risks for the organization is critical. “When phishing emails or employees clicking on phishing emails are identified,” Dalpiaz says, “it is a prime opportunity to give timely training to make the staff aware of the risks and how to avoid or mitigate them. For broader training coverage, the Community Banker University offers several cybersecurity training courses.”
Bank staff should train with industry exercises. “The FDIC offers cybersecurity vignettes that can be implemented with no need to involve outside parties,” Dalpiaz says, “and other organizations, such as FS-ISAC [the Financial Services Information Sharing and Analysis Center], offer exercises throughout the year that can help identify gaps in the cybersecurity program and train staff.”
Testing, audits and, in particular, penetration testing, also known as pen testing, can reveal gaps in policies, procedures and training. A pen test targets systems and users to identify weaknesses in business processes and technical controls by mimicking real-world attacks selected and conducted by the testers. If a bank doesn’t have a pen-testing vendor, Dalpiaz suggests one option is the Department of Homeland Security’s National Cybersecurity Assessments and Technical Services program, which provides pen testing at no cost for banks that agree to the service.
Dalpiaz believes information sharing is critical, especially in the case of threat migration. He suggests that if an institution becomes aware of a suspected attack or vulnerability, one way to share that information is by contacting the FS-ISAC. This helps protect all banks because they can reach out to government intelligence partners and share information with the broader financial services industry.
“FS-ISAC collaborates on critical security threats facing the entire financial services sector and is a resource for technology officers, payments processors and the like,” he says. “It shares information to the industry anonymously, and, in the Community Institution Council, resources are shared that focus on community institutions.”
For the practical aspects of day-to-day operations and to maximize resources, a bank’s cybersecurity program should incorporate information from the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook. Dalpiaz adds that banks should also select a risk assessment that matches their needs. “Create an inventory of the bank’s systems, data and technology, and understand how each line of business and operational function uses them and has access to them, including vendors,” Dalpiaz recommends. “The FFIEC handbook and cybersecurity assessment tool are the resources. ICBA and government agencies provide resources available to community banks, such as tabletop exercises and threat-mitigation information, which may also be of great benefit.”
He encourages community banks to look beyond the compliance officer and chief information security officer to build cybersecurity into every aspect of the business. “Cybersecurity compliance is not isolated to a point in time or to a few people,” he says, “and must be addressed in a comprehensive, dynamic, ongoing fashion.”
Mary Thorson Wright, a former Federal Reserve examiner, is a financial writer in Virginia.