COMMUNITY BANKS AND credit unions with inadequate programs to fight cyber risk may soon be hearing about it from their examiners.

New cybersecurity regulatory assessments - now being piloted at more than 500 community-sized institutions as part of regular safety and soundness exams - are meant largely to help authorities gauge cyber-risk readiness at smaller banks that lack the resources available to their larger counterparts.

But the assessments appear to be more than academic. Officials say issues arising during a review may be identified in an institution's formal exam.

"If we find issues, absolutely we are telling examiners that, based on the existing guidance, they need to inform management of the institution about where their program may be lacking," says Valerie Abend, senior critical infrastructure officer at the Office of the Comptroller of the Currency. "Where it is something that follows current policies, the finding will be part of the examination report."

The Federal Financial Institutions Examination Council announced the assessments in May and introduced them in June for 500 institutions that were next up in the schedule of normal safety and soundness exams. This initial round of assessments was expected to last through mid-July.

Fears of financial cyberattacks tend to center on the big-name banks. But with smaller institutions typically outsourcing their technology and security functions, regulators are increasingly directing attention to their readiness as well.

In addition to assessing "the complexity of an institution's operating environment," according to a summary on the FFIEC website, the review focuses on five key components of cybersecurity preparedness. They are: risk management, threat intelligence, cybersecurity controls, the reliance on external management and how the institution would manage a cyber incident.

While the pilot assessment "does not impose new expectations for institutions, nor will it result in any new examination rating," examiners finding possible violations of current legal or regulatory guidance on cyber readiness "will inform the institution and communicate necessary corrective action," the summary says.

Cybersecurity experts say the assessments are likely to address the level of engagement and accountability of boards and senior-level experts as they relate to the institution's technology risk management. Some analysts note that the practice of outsourcing has led some executives to believe, wrongly, that they have outsourced the risk.

"This is very focused on accountability for risks from the board on down," says Gary Owen, a director at Promontory Financial Group. "They can outsource the function, but part of that outsourcing would require that they have some transparency, visibility and understanding of how those risks are being managed. "They still need to have a response plan if data is lost or a hacking event occurs."

The OCC's Abend says the next step for regulators will be to analyze the findings of the initial round of reviews and to "then make a determination of how to leverage the information" in developing policies and supervisory practices.

"There is a lot of focus on getting this right because of the cyber risks facing the industry," she says. -Joe Adler