State & federal officials address cyber concerns

Texas Banking contacted representatives of the Texas Department of Banking, Texas Department of Savings & Mortgage Lending, FDIC, OCC and Federal Reserve Bank of Dallas in an effort to address their top cyber concerns, focus of cyber exams and advice. Following are their responses:

What are your top cyber concerns as they relate to banks?

PHILLIP HINKLE, TEXAS DEPARTMENT OF BANKING: Cyber threats are no longer simply coming from just "a hacker." Today, community banks (actually all businesses) have to also be concerned with what is broadly called supply chain threats. This includes off-the-shelf software, telecom and network hardware and network security services.

While the supply chain threats have been emerging over the last couple of years, they are expected to grow. They are coming from foreign governments that have resources that far exceed the average business. We are finding ourselves essentially fighting a battle on four fronts (hackers, compromised software, compromised hardware and compromised services).

So, my top concern is the broadening threat landscape. I suspect it will require community banks, primarily those without dedicated network security staff, to continue to move toward the use of managed service providers for maintaining their networks.

COMMISSIONER CAROLINE JONES, TEXAS DEPARTMENT OF SAVINGS & MORTGAGE LENDING:

We have an overall concern about the increased sophistication of those who seek to exploit institutions' and customers' data. One particular item we are focused on is state savings banks engaging with fintechs and how they manage that third-party risk.

JILL CETINA, VICE PRESIDENT IN THE BANKING SUPERVISION DEPARTMENT AT THE DALLAS FED:

I would say our top three cyber concerns are: vendor risk management, insider threats and management of IT assets.

On vendor risk, the scope and frequency of vendor reviews are key to having an effective vendor risk management program. While vendors may be hesitant to share information, third-party risk management should be addressed to the best of an institution's ability.

With respect to insider threats, significant IT/cyber risk can present itself when employees are not properly trained on handling privileged credentials or information. Additionally, banks should consider evaluating possible insider threat scenarios and implement mitigating safeguards.

Finally, with regard to IT asset management, institutions lacking fully effective asset inventory and management practices may face obstacles protecting their IT assets and data. Mature asset management provides banks with a strong foundation. It helps secure systems, ensure patch management and plan the migration of platforms over an IT asset's lifecycle.

There certainly are other important areas - but these three are fundamental.

OCC:

Banks need to remain focused on maintaining good risk management programs, fundamental cybersecurity controls and effective incident response programs, as all three are essential for an effective cybersecurity program.

With these elements in mind, the most common control weaknesses we have observed that have led to breach events are related to authentication, system configurations (including security settings), patch management and access management.

In addition, as important as maintaining cybersecurity controls, is the ability to quickly respond and mitigate the impact of a cyber event. Even institutions with strong cybersecurity programs can experience an incident. The effectiveness of the response program is a key factor in being able to limit impact that any event may have on the bank and its customers.

FDIC:

The cybersecurity risks facing the banking industry are significant, persistent and have the ability to impact not just a single institution, but the financial system as a whole. FDIC Chairman Jelena McWilliams recently observed in her remarks before the International Institute of Finance that we live in a world of "ever-increasing cybersecurity risks, which can produce consequences that spread by the minute or the second, rather than by the hour or the day."

What advice do you have for banks to make them more cyber mature?

TEXAS DEPARTMENT OF BANKING:

The biggest step is shifting away from "compliance thinking," where the focus is on doing what will look good for an audit or an examination and focusing on identifying their key assets and how to protect them. For most institutions, this can be achieved by following the Center for Internet Security's Critical Controls and related benchmarks. These are industry developed and recognized standards that significantly reduce a company's network risks.

TEXAS DEPARTMENT OF SAVINGS & MORTGAGE LENDING:

With regard to third parties, particularly fintechs, and possible cyber risks, we recommend a robust due diligence process prior to engaging the fintech, continued monitoring of and appropriate reporting from the third party while using their services. Remember the function can be outsourced but, from a regulatory perspective, the responsibility of risk management rests with the institution.

FEDERAL RESERVE BANK OF DALLAS:

Two focus areas that come to mind are metrics and communication. Developing and maintaining IT/cyber metrics or standards and then regularly assessing those internal metrics is key to becoming more cyber mature. These steps should sound familiar as they are foundational to all risk management. Improving internal communication about cyber risks also can help banks advance their maturity. Banks should aim for an open culture that supports all staff communicating about possible IT/cyber risks across the organization. At the end of the day, if you are unaware of a risk, you can't manage it.

OCC:

One of the single biggest drivers of an institution's level of cyber preparedness is whether the bank has a fundamental culture of security that permeates throughout the institution. Such a culture often starts from the "tone from the top," and active engagement by executive management and board of directors will be a major factor in driving the effectiveness of the bank's cybersecurity program and staff awareness.

A fundamental culture of security permeating throughout the institution emphasizes the importance of ongoing diligence by bank employees, who are the bank's first line of defense for cyber threats.

A good example of how board members and senior management, along with staff, can be engaged in the bank's cybersecurity program is to conduct exercises to explore how each part of the organization will coordinate during a cyber incident. There are a number of worthwhile exercise resources identified in the FFIEC's Cybersecurity Resource Guide for Financial Institutions.

FDIC:

In August, the FDIC encouraged the use of a standardized approach to assessing cybersecurity preparedness in a statement with other FFIEC members. Several standardized approaches were listed as examples. The members noted that firms adopting a standardized approach are better able to track their progress over time and share information and best practices with other financial institutions and with regulators.

With regard to sharing information, including best practices, the FDIC continues to support banks of all sizes participating in industry information-sharing forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) as part of their process to identify, respond to and mitigate cybersecurity threats and vulnerabilities.

What is the No. 1 thing you look for in a cyber exam?

TEXAS DEPARTMENT OF BANKING:

Unfortunately, there are several things of concern. However, a couple of years ago Commissioner Charles Cooper convened a national task force of tech savvy community bank CEOs and essentially asked: What cyber threats keep you awake at night? Their biggest concern hands down was cyber criminals compromising their wire transfer system.

We've had at least one case here in Texas where cyber criminals took control of a bank's wire transfer system ... began initiating wires, verifying those wires and transmitting the wires. At the same time, the criminals had changed the employees' passwords, which locked them out and impeded their ability to stop the transfers when they saw them.

So, one of the top things we want to confirm during an exam is that the bank has locked down their wire system(s) ... and that means going beyond the simple routine of ensuring dual control. The task force produced "best practices" for locking down Large-Value Funds Transfer systems and we distributed those to banks in Texas. Both TBA and IBAT posted them on the secure portion of their website.

I would add two more things we are increasingly focusing on. Those are if the bank is diligently implementing the Center for Internet Security's Critical Controls AND if the bank is getting regular audits that go beyond quasimock FFIEC exams. Threats grow faster than regulations have historically developed; therefore, it is important for banks to engage forward-looking audit firms. While we don't have any updated guidance on IT audit coverage, the scope of IT audits is an increasing discussion we are having with the industry because we are increasingly looking for banks to identify their own cyber weaknesses rather than waiting on an IT examination.

Challenging times continue to be ahead, but the industry can stay abreast of it by monitoring the changing environment and adapting.

TEXAS DEPARTMENT OF SAVINGS & MORTGAGE LENDING:

Some of the more common issues we see at IT exams are:

* End of life management due to the ending of support by Microsoft for Windows Server 2008 and Windows 7 in January 2020. It is critical for management to have a formal process in place to assess the upgrade or decommission of those servers or workstations.

* Institutions need to test their business continuity regularly and incorporate lessons learned into the plan and into future testing scripts.

* Roles, responsibilities and procedures to review IT audits should be formally documented in IT audit policies, even if the IT audit is being outsourced.

* Wire transfers continue to be a major target for fraudulent activity. Recommendations we make regarding wire transfers include wire transfer limits, oversight and segregation of duties.

* Management should monitor and document projects while adhering to formal policies and procedures. If a third party is used, management should perform the appropriate due diligence and verify the provider can support the institution's plans.

DALLAS FED:

Management should be actively involved in understanding and monitoring cyber risk. Some of the key information that management teams can leverage includes audit reports, cybersecurity risk assessments and, importantly, IT operational status reports, such as system patching and asset lifecycle management.

OCC:

One of the first things we look for is evidence of board and senior management engagement. Another top area of focus for examiners is banks' testing and validation of cybersecurity controls commensurate with the bank's risk profile.

This includes penetration testing, vulnerability assessments, independent risk management assessments and internal and external audit reports, as well as other testing and validation of controls.

Banks should continually test and validate the effectiveness of their cybersecurity program. The scope and depth of this work, as well as management's response to correcting issues raised, will influence the focus of the examination and validation work performed by examiners.

FDIC:

It is crucial that an institution's board of directors and senior management are active in managing the cybersecurity and other risks inherent when relying on information technology. As banks rely more heavily on IT services provided by third parties, risk management becomes more complex to include those third parties in addition to the bank's operations.

Effective boards and management teams understand cyber risk and develop the ability to discuss its impact with their shareholders and regulators. The FDIC created the Directors' Resource Center to help in this regard, and it contains a wealth of useful information and resources including two cybersecurity awareness videos and nine Cyber Challenge scenarios.