Banks are still awaiting details about the Federal Financial Institutions Examination Council’s new cybersecurity tool, which is expected to be released this quarter. But recent comments by a senior regulator suggest it will have two basic components. First, a “matrix” will help institutions determine their level of cyber risk. A bank will then be guided to recommended measures it should take based on that risk.
The tool, which follows a pilot program last year to assess cyber readiness at 500 community financial institutions, is a sign regulators are still relying on bankers themselves to measure preparedness. But while use of the tool will be voluntary at first, experts expect it ultimately will be compulsory and results of the self-assessment could be incorporated in future exams.
“This is where they expect banks to start and kind of work from there,” said Susan Orr, a former examiner who now runs her own consulting practice. “Once they roll it out, it will definitely be a tool that [institutions] are expected to use.”
The module, which was discussed at a recent meeting of the Federal Deposit Insurance Corp.’s community bank advisory panel, is also expected to be a central resource of recent regulatory guidance on cybersecurity programs.
At the April 2 meeting, Doreen Eberley, the FDIC’s director of risk management supervision, said the tool will allow banks to evaluate their cybersecurity programs based on their profile while providing insight into where a program needs improvement.
“It starts off with a risk assessment. Each institution will work through a risk assessment matrix and figure out, ‘What is your level of inherent cyber risk?'” Eberley said. “The second step will be actually to walk through the tool and assess the level of your preparedness.”
Yet there are still remaining questions about how the tool will actually work, including whether it will be operated online or in paper form. “What I am expecting is more of like a checklist just based on what I have read and seen about it,” said Matthew Froning, chief information officer at Security Compliance Associates.
Regulators have already taken a number of steps to communicate their expectations, both to banks and third-party service providers, for what goes into a robust cybersecurity program. The new tool builds off last year’s pilot program, in which regulators included a formal cybersecurity review for 500 institutions due for safety and soundness exams. Officials have also designed expectations to follow a broader cybersecurity protocol – released last year by the National Institute of Standards and Technology – that provided best practices for banks and other companies that support critical infrastructure.
Observers said that, while regulators have focused a significant amount of their cyber-related concerns on the biggest banks, the agencies still must rely on institutions themselves to measure readiness at the thousands of community banks.
“Certainly what we will see is a lot more emphasis on self-policing, because the regulators can only do so much and, aside from the very largest institutions, it is difficult,” said Kevin Petrasic, a partner at Paul Hastings LLP.
But others say the self-assessment tool will also be helpful in clarifying the government’s expectations of what an effective program looks like.
“It is intended to help everybody understand what the target looks like and in that sense this is very welcome,” said Murray Walton, chief risk officer at the financial services technology firm Fiserv.
Orr said some banks have been reluctant to aggressively make upgrades to their cybersecurity readiness in the absence of clarity from regulators.
“Until this self-assessment tool or until some real straightforward guidance on what the expectations are, everybody is going to be a little apprehensive,” she said.
However, while the tool may initially just provide a better picture of model standards, cyber exams are likely to become more rigorous, many say.
“I haven’t heard from bankers that the regulators are as focused on [cybersecurity] as an examination issue as I think they will be in the future,” said Lynne Barr, a partner at Goodwin Procter LLP.
During the advisory committee meeting, Eberley said the tool would start out as a voluntary measure but “then we will be figuring out how we work that into the examination process down the road in terms of thinking of cybersecurity as a component of” a bank’s information technology assessment.
The FFIEC is not just stepping up its cybersecurity oversight of financial institutions, however. Technology service providers which are examined like banks are also under the microscope. The concern is that service providers can pose even more risk to the financial system than a single institution because they often represent a vast web of interconnectedness between many institutions.
Petrasic said the extent to which the tool focuses on service providers is “probably the most critical wild card.”
Walton, of Fiserv, said the firm is “probably more complex technologically” than most of its bank clients, but it is unclear if the tool will be applied directly to third-party providers or just to banks. However, he said regulatory expectations for service providers are still likely to be higher than those for most banks because “we constitute a larger attack surface.”
Eberley noted that the tool will take into account institutions’ different levels of complexity and technological capabilities.
“The tool is actually a maturity model so it has different levels, and not everybody is going to be expected at the top,” she said. “You’re going to have to determine based on your risk where do you need to be.”
Small banks with relatively undeveloped programs will probably get the most use out of the tool.
“The [institutions] that have very small IT departments or don’t even have an IT department… are the ones it is going to help the most,” Froning said. Yet, he added, it is important that those institutions “don’t become completely reliant on” the tool “and forget that they have to go beyond” it.