Even though I worked for a bank automation company for about 20 years, I am totally technically illiterate. While I enjoyed working with our technology folks, it was always disquieting to know that I was the dumbest person in the room. That said, I am smart enough to know that if a college student sitting in a dorm room in Russia can get into our federal computer systems, the odds are pretty good that he or she can get into yours. Technology vendors will lead you to believe that cyber security is the greatest threat to financial service companies, and maybe they are correct.
In October 2016, the regulatory agencies published a proposed rule for “Enhanced Cyber Security Risk Management Standards”. While this proposed rule applies only to financial institutions with over 50 billion dollars in assets, its issuance demonstrates the focus that the agencies have on cyber security. My guess is that information technology examinations will become much more stringent, relative to cyber security. The cyber security risk for a community bank is therefore two fold. The first risk is that your institution will actually be hacked. The second and more probable risk is that your institution will be criticized for having a program that is inadequate.
The agencies have published numerous information pieces on cyber security. The first is the Uniform Rating System for Information Technology (RRSIT) published by the FFIEC. It was most recently updated on January 20, 1999. In 2000, in response to a requirement in the Gramm Leach Bliley Act, the agencies published the “Interagency Guidelines Establishing Information Security Standards”. In 2003 the FFIEC began publishing the “Information Technology Handbook” that includes the “Information Security Booklet”. Most recently, in June, 2015, the FFIEC published the “Cyber Security Assessment Tool”. In total, the agencies have published a ton of very useful information and guidance on cyber security.
In most financial institutions, the greatest cyber security risk is the institution’s employees. They aren’t the greatest security risk because they are bad folks, but because they have not been educated adequately on what to look for and the dangers. They receive an email from an unknown source and open the attachment with it and bingo, they are hacked. If your institution has not done a self-assessment of your cyber security using the FFIECs “Cyber Security Assessment Tool”, I strongly suggest that you do so. And in doing it, make sure that you document your assessment thoroughly. Remember that from an examiner’s standpoint, if it isn’t in writing, it didn’t happen. Review your cyber security policies and procedures and make sure that your employee education is sufficient.
Depending on the size and sophistication of your IT staff, you may want an outside third party to conduct your assessment for you. There are several very good vendors that will perform your assessment, review your policies and procedures, and assist you in “tweaking” them where they need it. The vendor can also periodically perform a “fake” hacking to see just how good your program really is.
Every financial institution is totally dependent on its automation systems. If they are not working or are otherwise unavailable, you are virtually out of business. That is why information security is mission critical and a failure can be so costly. Add to all of that the reputation risk you have if you have to inform your customers that their personal information has been stolen. You can never be 100% confident that your systems will not be breached, but you can do enough to lessen the risk so at least you can sleep at night.