Ten Focus Areas From the Regulators

Over the last couple of months, I have been able to moderate two regulatory panels for the South Carolina Bankers Association and the Georgia Bankers Association.  These panels had a mix of regulators from the state, FDIC, Federal Reserve, OCC, and two experts David Mills from Carr Riggs and Ingram and Jeremy Clifton from Steve H. Powell and Company.  I personally thoroughly enjoy moderating these types of panels, with my focus on allowing the audience to get the most critical items highlighted for them to take back to their bank.  I was able to spend almost 6 hours with the panelist in preplanning and of course during the moderation of the panels. As part of this process, I wanted to highlight the ten areas of focus discussed.

1)   Increased Focus on Cybersecurity 

The attacks and sophistication continue to increase. As part of the panel, a regulator changed the title of the IT Exam to a “Cyber Exam”.  In addition, the OCC has started using the Cybersecurity Assessment Tool as their examination process, filling out the responses based on the documentation and reporting that the Information Security Officer provides them.  The focus by the regulators continues to expand in cybersecurity.  You can’t get enough insurance to protect your institution.

2)  Risk Assessments

 I know what most of you are thinking… “Oh Great!” (with heavy sarcasm included)  

On both panels, there were focused discussions on the need to improve the risk assessment process, the Asset Based Risk Assessment (ABRA) has become “long in the tooth”.  In today’s technical environment it is less about the asset and more about the data.  Examiners are expecting for the banks to understand where their non-public customer information is stored and secured from risks both internally and externally.

3)  Risk Assessments on New Products and Vendors

Risk Assessment focus has been a consistent theme with the examiners for several years but based on my conversations with the regulators it appears that contracts are still getting signed without risk assessments performed by the Information Security Officer. Risk assessments should be filled out for all of the vendors in the due diligence process, and at a bare minimum, make sure to backfill the process of filling out a risk assessment (even if it is after the contracts have been signed).

4)  Bank Secrecy Act Customization

The regulators were quick to point out that they do not recommend software or the need for software on the BSA conversations, but there is an absolute need to tailor the BSA processes based on the financial institution customers and the services that are provided electronically.

5)  Monitoring and Oversight

The panels reiterated that the institutions need to make sure to manage and validate their system management, including patching, antivirus, and firewalls.

6)   Segregation of Duties

Segregation of duties is not a new concept in banking, but the focus and responsibilities are evolving in IT management and oversight.  There was a concern about the lack of independent oversight from the Information Security Officer.  The ISO needs to report outside of the IT or Operations, and in the best case scenario to the CEO or the board.  In addition, there were discussions on banks needing to increase the knowledge of the ISO.

7)  Incident Response

Incident response was another consistent theme on both panels, the need to change the planning for the bank from “if” to “when” on security incidents.  Institutions need to focus on having an active incident response plan with annual testing.  There was also a recommendation to have a cybersecurity / forensic company on retainer.  I have a copy of the handout from the Federal Reserve that gives some great feedback on best practices.  Let me know if you want a copy, I am happy to send it to you.

8)  Social Media Monitoring

Social media monitoring was a new topic added this year, with the need for active social media monitoring.  The response from senior management, we are not on social media is no longer enough for the regulators.  There were a couple of conversations on best practices on this, but if you don’t have software in place for social media monitoring, it is probably time to start looking.  Several software tools on the market can help facilitate the management of this for your institution.

9)  Attack Examples

In both sessions, there were discussions about specific scenarios where banks were compromised and, in most cases, an ACH also occurred.  It was recommended to have a membership in FS-ISAC and CERT. One recommendation was to focus on making sure you follow your policies, specifically call backs to board members and important customers were highlighted.

10)  Vendor Management Emphasis Continues   

The regulators discussed a reliance on third-party providers and a continued need for the banks to manage the relationships.  The management of vendors includes reporting, oversight, and validation of the services provided by the vendor. There was a focus on the process of the review of the vendors, specifically SSAE16 (and soon to be SSAE18) and the potential gaps in the audits. For instance, services that are signed may not be part of the SOC2 report, requiring more due diligence review on audits. One new item was discussions around fintech partnerships and best practices when entering into agreements with up and coming technology providers.  Finally, there was a concern about the auditing processes and validations for the vendor’s vendors (aka 4th party vendor relationships).

FINOSEC is dedicated to helping our customers better manage and navigate cybersecurity, by assisting with Information Security Officer (ISO) and Cybersecurity assistance and consulting. To learn more about FINOSEC, you can follow our company here or reach out to us at [email protected].