Cyber awareness, cybersecurity, cyber threat, cyber-attack…..cyber, cyber, cyber. It seems like everywhere we turn the buzz word is cyber. In recent years financial institutions have moved from budgets and spending focused on the latest and greatest new product technology to a heavy focus on IT security. It is increasingly important for compliance, legal and reputational risk to ensure a financial institution has made IT security top priority.
Just as financial institutions have changed their focus so have the regulatory agencies. Years ago, it wasn’t that uncommon for the federal regulator to be the only one performing the IT exam. Many state banking departments did not have the budget or expertise needed to examine IT. That has all changed in recent years. Not only have the federal examiners increased their staff and the depth of the IT exam, but many state banking departments realize the gravity this area can have on an institution if the proper controls are not in place. They are committing the funds and staff needed to ensure their state institutions are doing all they can to protect, mitigate and ensure recovery from a cyber-attack.
IT is reviewed during the Safety and Soundness exam. While it is not considered in the CAMEL rating of an institution, it is a major factor in the overall rating. The regulators are focusing on and consider the impact a cyber-attack can have on a financial institution. Within that consideration is whether or not the financial institution can handle the cost of an attack. Can that institution pay a ransom if hit with a ransomware attack? What dollar amount would cripple them with one cyber-attack? Looking at cybersecurity under this light brings a different view point to the table.
Following suite from a recovery standpoint is business continuity. This is another area institutions and regulators are taking a much deeper look into as a result of cyber-crime. As required, all institutions have a process to back-up critical data. As part of continuity testing, the back-up is typically tested to ensure the system can quickly be restored. However, many institutions are not fully testing the back-up from a complete loss standpoint. They simply take the system down and bring it back up. They find out far too late that they have been living with a false sense of security. That piece of mind is shattered when they realize there is nothing in storage. For one reason or another the back-up was not storing the data. The system was tested to ensure it could be restored, however, testing of back-up data retrieval was not being tested. How detailed is your back-up recovery testing? Do you periodically test your back-up storage? Have you tested to see if you can retrieve and restore to your back-up files? Have you been paying for storage for years only to find out there is nothing?
As mentioned above, third-party vendor deficiencies are being highlighted with the increase in cyber-crime. IT exams already looks at critical vendors for vendor management. However, in recent years the review goes beyond testing for controls. Examiners are looking for the support from testing to ensure the third-party vendor can perform the services for which the institution has contracted. Contract reviews and testing of performance is becoming increasingly important to demonstrate during an exam. When testing your business continuity plan consider taking a look at the vendor side also. What is in the contract as far as recovery time,
Insurance is another area that has experienced a change with respect to the IT exam process. Cyber insurance isn’t just a decision to mitigate risk, it is expected. This one will certainly be on your IT exam request list. However, just having cyber insurance is not enough. It is important to know exactly what the cyber policy covers. This type of insurance can vary greatly in price. Look at the coverage vs. the deductible. Is the deductible reasonable considering the strength of your institution?
What is your institution doing to protect against a cyber threat? Have you assessed the crippling point of a cyber ransom situation from a dollar standpoint? Many institutions are now performing a table top cyber-attack assessment in conjunction with their business continuity planning test. Business continuity system testing must go beyond just recovery. Regulators are now looking to see if institutions have considered this factor in their risk assessments and incident response plans.