Asking new questions and often following up with requests for hard proof, examiners are delving deeper than ever before into how community banks monitor and address cyber and IT security threats than ever before thanks in new IT security exams launched late last year.

With this new regulatory focus on cybersecurity, examiners are investigating whether community banks are prepared to deal with threats whether awareness of these risks is shaping decisions at the board level, say community bankers who have undergone the new exams. And while examiners are more frequently asking for information such as logs, policies, procedures, meeting minutes and other data, community banks already following best practices say they feel well prepared for these exams.

"It wasn't so much what they were looking for but how they looked for it," says Joel Williquette, vice president of information technology at $273 million-asset Bank of Luxemburg in Luxemburg, Wis., of his bank's February IT security exam by the Wisconsin Department of Financial Institutions. "In past years, examiners would ask a question, we'd give an answer and then move on. This time they randomly selected things and dug in pretty deep."

Williquette compares the new IT exam process to a regulatory loan exam where a bank's processes are reviewed and then examiners grab a few files and go in deep. In his case, examiners looked closely at Bank of Luxemburg's information security program, including its vendor management and Gramm-Leach-Bliley Act compliance efforts, and risk assessments for smartphone check capture.

In the past, examiners might have asked how often penetration tests are done, Williquette observes. This time they specifically asked what systems were tested, looked at audit results of those tests and asked what the bank did with them.

Examiners at the $250 million-asset the First State Bank in Barboursville, W.Va., asked to see logs, including samplings from routers and logs from the third-party company that provides the bank's 24/7 Internet monitoring-information that Mike Hamilton, the bank's chief information officer, had provided ahead of time, even though he hadn't been asked for it. He also provided results of his bank's annual Federal Financial Institutions Examination Council-level audit.

Mitch Borneman, executive vice president and chief operating officer of $265 million-asset Heritage Bank of Central Illinois in Trivoli, Ill., also noticed a difference from the bank's previous exam. Heritage Bank was one of the 500 community banks and credit unions included in pilot IT security exams conducted by the FFIEC and its member agencies last summer. The results of those exams influenced the changes to the current exam.

"It was more encompassing than we need the following items," Borneman says. "It was all items, all policies. It was almost an audit that looked at everything we did as an IT shop. It didn't just risk-assess based on how we answered questions."

Examiners asked Borneman and his staffmembers for everything from network users and their rights, in order to compare them with their job responsibilities to wire transfer agreements. For remote merchant capture, examiners not only asked to see procedures, but wanted to see the log of when the Heritage Bank went on site to monitor its customer compliance procedures.

The questions, he notes, were designed to understand what a bank would do in case of a potential data breach. FDIC examiners wanted to know, for example, what Heritage Bank was doing to control its IT environment and if it was doing enough. It really made the bank think more about perimeter security, internal security and security standards, Borneman says.

Though examiners were asking for more, Richard Bradfute, chief information officer of $220 millionasset JP Stone Community Bank in Portales, N.M., is impressed with the organization of the new preexam questionnaire. It simplifies requests for policies and reports with a cleaner layout. It also has more questions on risk and how it's managed, qualifications for internal auditors and vendor management. For the 69 standard items examiners are requesting, JP Stone Community Bank turned in 700 files.

"We try to be very thorough in presenting materials to the examiners," Bradfute says. "It helps make their job easier and the exam go more smoothly."

The cybersecurity review

Examiners seem particularly interested in probing cybersecurity issues, community bankers report.

"They had more sophisticated questions in regards to security processes, monitoring and incidence response plans," notes Williquette, who felt like examiners had received additional technology training.

At First State Bank, FDIC examiners wanted to know the type of cybersecurity training the bank's board had received as well as its directors' understanding of threats, Hamilton says. In the past, examiners wanted to see whether the board was actively involved in IT risk assessments. First State Bank's most recent IT exam went beyond those questions to find out whether the board had sat through defined cybersecurity training about different advanced persistent threats, including phishing, he says. They wanted to know if the bank had put a training program in place, but did not say anything when the bank did not have a formal plan in place, although its board has had considerable training.

"I expect that if I don't have one next year it will be a problem," Hamilton predicts. He was also surprised, based on research he had done, that he didn't have to show examiners evidence of cybersecurity training programs for users.

Borneman, who underwent an IT pilot exam last summer, says examiners recently asked for any IT or cybersecurity information that was shared with Heritage Bank's board. For example, in January he told the bank's board that firewalls had been put in place to block certain countries from the bank's network. Soon after, the bank had 30,000 attempts originating from mostly one country to bounce spam offthe bank's email network. It normally receives 3,000 emails a day. That's the type of event Borneman says he will summarize for the board and share with examiners in future exams.

Examiners are looking for cause and effect between programs, community bankers say. "All the risk management we do is supposed to be used in our decision-making processes," says Williquette, who documents those risk management efforts with meeting notes and decision documents. "Examiners want to see how those evaluations tie into project and purchasing decisions."

It also wasn't enough to have a program reviewed by the board and senior leadership, he adds. Examiners wanted to see examples of how they tested the program.

Continual improvement

A recurring question examiners asked of community bankers was what had been done to become better and more knowledgeable about IT systems security since their bank's last IT security exam.

"In the past, examiners were more focused on if you were administering your programs well," says Williquette. "It's transcended that. They want to know if you are testing thoroughly and yearly and improving your programs."

"Fortunately for us we started doing a lot more testing," Williquette says of Bank of Luxemburg's readiness for its most recent IT security exam. "It wasn't because we thought there was a gap and they'd ask on our exam. It's just a natural progression of having good programs in place and good IT best practices."

First State Bank's examiners focused heavily on change management, ensuring that certain procedures are followed when making changes to systems. Because the bank has very few outsourced systems, its managers didn't think it was necessary to have an official change of control policy addressing risk assessment, approvals, post- installation validation, back out and recovery during systems changes- something Hamilton now knows the bank needs to have anyway.

Examiners asked Heritage Bank about its security-risk-information sharing and to name all its system connections, which Borneman could do offthe top of his head for all but three, which satisfied regulators. To prepare for future exams, Borneman is determining all the bank's connections and is going through the FFIEC's 20 Cybersecurity Questions for Financial Institutions released in January. The bank aims to tackle one of the five callout boxes with the board each month until it's done.

"The list of questions they asked on cybersecurity definitely set the table for the next exam to be much more strenuous," Borneman says.

Williquette, like the other community bankers interviewed, felt well prepared for Bank of Luxemburg's exam becasue it already follows best practices, but he is already planning for the bank's next IT exam. Next time he'll have all of his test results in a binder and ready to go. He plans to do even more security testing than his community bank already does, and he encourages other community banks to conduct more tabletop exercises with their executive teams on topics such as pandemic business continuity and incident response.

Not everyone saw huge differences though between the past and current IT exams. Examiners thoroughly dug into policies and procedures at JP Stone Community Bank. FDIC examiners did ask for and review the bank's logs, but they didn't discuss them with Bradfute in detail. Another change was that JP Stone Community Bank's IT security exam took two weeks this year instead of one week as normally happened in the past, mainly because the bank started writing its own software.

"It was basically an open book test," Bradfute offers of the importance of being familiar with all the rules. "There was nothing [examiners] didn't ask for that wasn't backed by the regulations they gave in advance."