Like his peers across the nation, community banker Tom Long has kept a cautious eye on regulators' increased focus on information technology security risk. Long is executive vice presisdent for Peoples Trust Co., Linton, Ind. The bank has nearly $120 million in assets, seven branches, a wide area network, T1 lines connecting each branch ... and no IT staff. It was no comfort to Long knowing that thousands of bankers across the nation were in the same boat.

Regulators heightened their focus on IT risk in 1999 as technology began redefining the face of banking. PC use was skyrocketing. The TCP/IP communications protocol was becoming the norm. Broadband was elevating Internet communications to warp speed. Cyber criminals had started commandeering entire Web sites, using them to convey their messages or defame organizations. Alarmed, federal regulatory agencies released papers that year identifying growing concerns about IT security risks.

This was also the year the Graham-Leach-Bliley Act became law and rewrote the book on sharing and storage of consumers' information. Not only were banks responsible for insuring the security and confidentiality of customers' records and information, they were also charged with instituting safeguards to protect against anticipated threats or hazards to the security or integrity of such records. As a result of GLBA's stringent security measures, examiners now routinely check such items as whether backups are run and the tapes kept secure; whether the information is protected against unauthorized access to or use of records that could result in harm or inconvenience to customers, and whether security awareness programs are in place, to name just a few.

As technology continued to make the transfer and storage of information easier and faster, regulators became even more concerned. In the year 2000, additional papers and bulletins were released detailing the importance of firewalls and intrusion detection systems and the need to secure local and wide area networks.

Last year the FDIC launched a new program for assessing IT risk, incorporating a brand-new philosophy for categorizing banks' use of technology and exposure to technology risk.

The result: more risk-focused IT examination procedures. Today when examiners arrive at your bank, they will review your efforts related to core processing systems, internal networks, electronic banking products, connectivity to external networks, the location of sensitive information and other technology components.

Here's how it stacks up

* Banks must identify reasonable foreseeable internal and external threats that could result in misuse, alteration or destruction of customer information.

* Banks must assess the sufficiency of policies, procedures and customer information systems and other arrangements in place to control risks.

* Banks must design an information security program to control identified risks, commensurate with the sensitivity of the information and the complexity and scope of the bank's activities.

* Banks must adopt such appropriate security measures as password protection, network and host-based firewalls.

* Banks must insure that customer information is encrypted while in transit or stored on unprotected networks or systems.

* Banks must have monitoring systems and procedures in place to detect attacks on or intrusions into customer information systems.

There is risk, and the regulators are determined to insure that banks are taking appropriate action. Penalties have been assessed against banks, and others will no doubt follow. All of this is the responsibility of the bank's board of directors. The bank must provide a report to its board at least annually, describing the overall status of the bank's information security program and its compliance. The report should discuss material matters related to the program and include such things as an updated risk assessment, risk management and control decisions, service provider arrangements and security breaches or violations along with management's responses and recommendations for changes in the information security program.

When regulators arrive, they want to see that the board is in control.

"There was simply no way a bank our size had the resources to respond to all this," Long said. His search for a company to perform vulnerability assessment - a process to determine whether a bank's IT systems can be breached - had produced very high quotes, as had the bank's search for a company to monitor the bank's systems (a system that runs round the clock guarding against intrusion attempts).

IT risk will not go away on its own. Unless banks have a staff of proficient technology gurus available round-the-clock who can research and address issues, attend training on a regular basis, and keep systems updated, armed with an open-ended budget that allows them to acquire the tools they need when they need them, the best bet is to work with IT risk experts to implement solutions.

"When regulators arrive, they want to see that the board is in control. 'There was simply no way a bank our size had the resources to respond to all this,' Long said."