Community banks, often at the heart of local economies, find themselves at a crucial juncture where their approach to risk management, particularly in cybersecurity and operational resilience, could determine their future success or vulnerability.
Whether your regulator is the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., Department of Financial Institutions or Federal Reserve Board, you will likely face a heightened focus during your next exam on how you manage and mitigate risks, making this cycle a pivotal moment for your bank. The following serves as a roadmap for your bank to effectively prepare for your next exam based on firsthand experiences with community bank clients across recent examinations, from business continuity to cyber expertise.
The goal is not just to prepare for the scrutiny of the next examination but to foster a culture of proactive risk management that safeguards your bank’s future in an increasingly uncertain world.
Elevating Business Continuity Management to Board-Level Priority
Examiners have asked detailed questions about business continuity management (BCM), specifically how your bank tested your plans and the results of those tests. But more than that, examiners wanted to know that management regularly presented the results to the bank’s board and asked for documentation detailing when those presentations happened to prove management had done more than summarize it into a paragraph in the annual information security report. They wanted clear evidence that BCM planning and subsequent testing were presented to the board as a detailed report – and discussed thoroughly by management.
What does that mean for you? First, you should prepare a testing calendar at the beginning of the year that details your planned BCM tests. Then, regularly update the document throughout the year, detailing test results, observed issues and relevant remediation activities. Lastly, share that information with the board or an appropriate board committee.
Board Reporting and Oversight
Examiners have also asked what and how often management reported to the board – specifically about cybersecurity and IT operations – and how well directors grasped essential issues.
Examiners’ questions focused on whether bank directors read their banks’ annual information security reports and asked relevant questions of management. There were questions about the IT strategic plan, how recently it was updated and what visibility the board had in the process. It is part of a board’s governance responsibility to approve the IT strategic plan, which should include the directors being familiar with its contents.
Given the current cybersecurity landscape, it is vital to have regular conversations with your directors about their IT and cybersecurity governance responsibilities, not just once a year but as an ongoing dialogue.
Understanding Operational Resilience Through the Lens of Third-Party Systems
You will want to ensure you have identified any systems for which it is difficult or impossible to build a redundant operational strategy (e.g., hosted core processor, SaaS-based LOS). Ensure your board clearly understands that if the provider is hard down for these identified systems, you are hard down, too. No one expects your bank to have a “backup” core processor, but examiners expect the board to know which systems or vendors present that risk.
Of course, your board understands this for vendors like your core processor – but do your directors understand how your bank could be impacted if other vendors were to have an extended outage? Take your ATM or ITM vendor, for example. Last year, a regional service provider’s issue affected thousands of supported devices across hundreds of banks. What would you do if your ATM/ITM service provider has an outage that takes all your ATMs or ITMs offline?
What is your process to respond to customers needing to transact with your bank if one of these services or vendors is unavailable? Has management discussed this with your board? Do your directors know which of your other vendors could significantly impact bank operations? And do they know how your bank would adapt to that situation?
Elevating Vendor Due Diligence
You already know you must be able to demonstrate how you assess your vendors and their controls. But are you looking at the complementary user entity controls in your critical vendors’ SOC 1 and SOC 2 reports? Are you reviewing each of those and ensuring your bank has the specific controls in place? This has always been an expectation, but recently, examiners are diving deeper and asking for more and better evidence that you regularly evaluate these risks.
Cultivating IT Leadership
In one specific bank, an examiner questioned the competence of the bank’s IT manager for the role. The examiner was concerned that the person had been doing that job for several years but had not kept pace with appropriate professional development.
You should ensure your IT management staff have adequate expertise in the technologies your bank employs. That may sound simple, but if the board and senior management have little or no technology expertise, it may be difficult for the bank to effectively supervise the IT staff. You must ensure they continually update their knowledge and expertise as the cybersecurity landscape evolves.
The concern is valid. Bad actors continually refine their attacks and improve their methods, and you need to expand your security approach commensurately. Systems and expertise that were adequate five years ago may no longer be enough to thwart a sophisticated attack.
Your management team – and your board – need to understand that and be willing to address aging approaches that may be creating vulnerabilities.
Conclusion
As regulatory bodies intensify their focus in these areas, it is imperative that banks prepare for heightened scrutiny and view these examinations as a catalyst for strengthening their operational foundations. By prioritizing comprehensive business continuity planning, enhancing board oversight and rigorously managing third-party risks, your bank can not only navigate the complexities of the current regulatory environment but also lay a solid groundwork for sustainable growth and resilience.
Milton has more than 25 years of experience assessing and mitigating risks for regulated organizations. He serves as virtual chief information security officer for several client banks and as an active board member of the InfraGard Middle Tennessee Members Alliance. He also is active in the national InfraGard Cyber Finance Working Group.
Email Milton at info@ImageQuest.com.
ImageQuest is an associate member of the Indiana Bankers Association.