Doug Johnson

The Federal Financial Institutions Examination Council's new cybersecurity assessments for community banking institutions will be incorporated into the usual IT examination process, regulators say. Industry associations and analysts say banking leaders should be preparing for more stringent oversight of cybersecurity awareness and initiatives.

A new work program and assessment tool for cybersecurity will be used in banking institutions' regularly scheduled IT exams, says Stephanie Collins, spokeswoman for the Office of the Comptroller of the Currency, one of the banking agencies that's part of the FFIEC.

"[This] will allow us to develop a baseline assessment across the sector of how they are managing cybersecurity risks," she says. "In order to ensure that we comprehensively assess the cybersecurity environment in which financial institutions operate, we also plan to involve a number of the most critical technology service providers."

On May 7 and 8, the FFIEC and the Office of the Comptroller of Currency announced plans to launch a pilot program for new cybersecurity assessments by the end of this year (see FFIEC Plans Cybersecurity Assessments).

But one banking institution executive, who asked not to be named, says regulators are already setting times for cybersecurity-related risk assessment exams with select banking institutions to coincide with their regular IT exams, some of which begin in the coming days.

Ensuring C-Level Awareness

Faced with the increased scrutiny, community banks and credit unions likely will have to prove they have strategic plans in place to ensure ongoing cyberthreat awareness and an understanding of cybersecurity threats at the board and executive levels, says Doug Johnson, vice president of risk management policy for the American Bankers Association.

The overall message from banking regulators: C-level executives and boards of directors at community banks and credit unions must ensure that cybersecurity is part of everyday business, he says.

Regulators won't be asking institutions to make changes in how they conduct their risk assessments, Johnson says. Instead, they just want to ensure community bankers truly understand how emerging cyber-attacks could affect their business, he explains.

"There is a lot of signaling of what needs to be done within the [FFIEC's] authentication guidance and third-party risk guidance - both of which point to the need for continuous monitoring and that you have to continually look at risks and threats and determine what kind of mitigating efforts you have to put in place," Johnson says.

Institutions should be prepared to show that they have identified and understand the risks they face, he adds. "That is really what the regulatory agencies are looking for."

A Clear Message

During a May 7 webinar the FFIEC hosted for C-level executives at community institutions, the clear message was that it's critical for banking leaders to increase awareness of cyber-risks across their institutions.

Bill Nelson, president of the Financial Services Information Sharing and Analysis Center and a participant in the May 7 webinar, says C-level banking executives should be getting more directly involved with security and risk assessments.

"Even if your FI [financial institution] outsources its IT operation, the FI is still responsible for cybersecurity of its enterprise and its customers. It's important to learn about the latest threats, and you need to join information-sharing bodies."

Nelson also says he foresees expanded FFIEC guidance related to cybersecurity coming. "Congress has paid particular attention to the cyber security issue in light of recent breaches," Nelson says. "This has resulted in focus on cybersecurity by regulators to ensure that the organizations they regulate are aware of the issues at the C-suite level."

Shirley Inscoe, a financial fraud analyst at consultancy Aite Group, says recent data breaches and the exposure of consumer information spurred the FFIEC to make cyber-issues more of a priority.