Posted on 02/27/2018 at 12:34 PM by Jesse Johnston
The FDIC has released its 2017 Annual Report, which highlights living wills, efforts to simplify regulations, and some insights on cybersecurity. Of note to Iowa's community banks is the Appendix D, the Office of Inspector General's (OIG) Assessment of the Management and Performance Challenges facing the FDIC. In this document (written, presumably, as an effort to help us all sleep better at night) the OIG discusses two important issues: emerging cybersecurity risks at insured institutions and, secondly, the FDIC's ongoing efforts to stay ahead of cybersecurity events at the FDIC . The OIG addresses the ramped-up examination process for IT at a financial institution--something community banks have noticed during the last FDIC exam cycle. The report also addressed a collaboration between federal banking regulators to update the interagency Cybersecurity Assessment Tool. A few additional, and less obvious, key takeaways from Appendix D:
1. Third party service provider are the single largest source of risk for a bank. The FDIC investigated a computer security incident in a 2016 report, Case Study of a Computer Security Incident Involving a Technology Service Provider that affected several financial institutions and a breach of personally identifiable information (PII). The FDIC determined that the service provider's incident response policy was "vague" and "limited the [service provider's] ability to collect or retain forensics." Banks must ensure their service provider and vendor contracts address a host of critical cybersecurity issues including incident response plans, employee security procedures, and a strong indemnification provision in order to protect against the issues for which no bank can plan. (See blog: “Your vendor contracts are shields and swords.”)
2. The FDIC is making a concerted effort to better collect and review aggregate data, and so should you. In 2015, the Government Accountability Office directed the FDIC to collect and analyze data points so as to have more usable threat information. The GAO stated that the FDIC could do better aggregating data on security problems and addressing it. Bank's have a immeasurable amounts data at their fingertips, but not always the time or expertise to arrange and analyze. However, when it comes to security incidents and responses at a financial institution, officers and directors must make time to review what's going on and address it internally with amended polices and procedures.
3. The discussion of the FDIC's internal review process is a good model for any financial institution that does not know how to self-assess. The FDIC has experienced attempts to breach their security measures, and out of these internal audits, they have compiled a list of security control weaknesses, and are addressing this list with plans to mitigate. Not only will the particular issues resonate with community banks (management of contractor personnel and changes in management at the agency), but this targeted approach-- finding permeable issues and focusing efforts on mitigation--is a good model to follow.
If you have any questions regarding federal regulations or Cybersecurity please contact Jesse Johnson.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- Jesse Johnston