Standards for how financial institutions (FIs) manage cybersecurity risks are tightening, with a pending new FDIC rule lowering the applicable size threshold for covered FIs. Jessica Caballero, director of cyber risk management at Defensestorm, takes a closer look at the FDIC’s new rules and what institutions of all sizes should know about their cyber risk approach.
The standards for proper governance and risk management within financial institutions continue to evolve, with the FDIC weighing whether to finalize a proposed rule to heighten standards for large banks, requiring those with assets over $10 billion to assess their risk governance, including cybersecurity risk management policies, controls, and data and systems infrastructure, among other risk- and governance-related requirements.
The Office of the Comptroller of the Currency (OCC) and the Federal Reserve have similar heightened standards that apply to significantly larger and often more complex banks — those with total assets over $50 billion. Considering the substantially lower scope of application threshold, the FDIC’s rewrite of the guidelines is catching the industry’s attention. It’s also catching the ire of opponents; Senate Republicans have called for the FDIC to withdraw the proposed rule, which saw its public comment period close in February 2024, so the future of the rule could be in doubt.
Regardless of whether the proposed rule becomes final, its implications should be examined and taken into consideration, particularly with regard to its cybersecurity components.
Ultimately, better governance structures and well-implemented risk management principles are key for institutions working toward maturing their cyber risk management programs. The proposed rule can serve as an outline of best practices even for those institutions not covered under its scope — such as smaller banks and credit unions of all sizes — as it creates a new precedent that could very likely continue to trickle down to other asset sizes and institution types.
Boards increasingly need cyber expertise
The FDIC isn’t the first to make a move to evolve standards towards considering expertise as part of board composition and diversity strategies. The New York Department of Financial Services (NYDFS) 500 2023 amendment calls for the governing body to sufficiently understand cybersecurity matters to exercise oversight. The rule states that without such understanding, the use of advisers may be necessary to properly govern.
The FDIC’s proposed rule is not cybersecurity-specific like Part 500; however, it calls for diversity in experience to prevent knowledge gaps. It is no secret that lacking knowledge and expertise around technology and cybersecurity at the board level has been an obstacle to properly governing cyber risk within banks and credit unions, especially smaller institutions. We can assume this is the motivation behind preventing knowledge gaps within an institution’s key governing body.
Banks and credit unions of all sizes should consider increasing their governing bodies’ knowledge and expertise in technology and cybersecurity. This can, of course, be achieved through the diversity of experience in the board’s composition; more tangible options for smaller, less complex institutions include more frequent board training and establishing focused committees for targeted oversight.
NY to Finance Sector Leaders: Let’s Get Personal
New York officials have advised financial institutions in the state to more regularly investigate the “character and fitness” of top executives — before and after they’ve been hired. Elan Parra of Guidepost Solutions explores what this means and why leaders should become comfortable with enhanced scrutiny that may feel downright invasive.
Read moreDetails3 lines of defense model
FDIC’s rule requires covered banks to formally implement the three lines of defense model. Many community banks and credit unions have yet to formalize this model. As previously highlighted, the asset for heightened standards is shrinking; thus, the writing on the wall is clear this will become an official standard for all institutions. It is already the unofficial standard.
The three lines of defense model calls for these three units to monitor and report adherence to the risk management program:
- Front-line units (FLU), aka business units
- Independent risk management (IRM), which is under the direction of the chief risk officer (CRO)
- Internal audit (IA), which should be overseen by a chief audit officer (CAO) with unrestricted access to the board and its governing committees
There are many ways to implement this model, especially when considering cyber risk management. Institutions may have:
- Chief information security officer (CISO) who acts as a business line leader and, thus, sits in the first line
- CISO who is a risk manager and fits into the independent second line
Institutions can choose what best suits them based on their talent and organizational structure. However, the choice must create the appropriate independence and ensure effective risk management and oversight. For example, if your CISO is a front-line CISO, ensure IRM has the appropriate talent and knowledge to effectively oversee this officer’s risk-taking activities, author policies and conduct risk assessments within cyber and information security.
Data aggregation & reporting
The FDIC’s proposed rule addresses how data is aggregated and reported as part of the risk management program. It specifically calls for policies, procedures and processes covering data aggregation and reporting. The design, implementation and maintenance of the data architecture and information technology infrastructure should support the institution’s risk aggregation and reporting needs during normal operations as well as during times of stress, such as a disaster or cyber event.
This can create a new layer of stress for information technology professionals, as they will likely own the implementation of these policies, procedures and processes. The responsibility lies on their department to maintain the accuracy and availability of risk data to facilitate prompt reporting on material risks, breaches of limits and concentrations of risk to relevant parties for risks across the entire institution, not just cyber risk.
For institutions working to mature their risk management programs, data aggregation and reporting should be at the forefront of their strategic planning process. Regardless of whether an institution fits under the scope of the proposed rule, data architecture and IT infrastructure are coming under more scrutiny from regulators, and thus, area institutions should be focused on maturing, especially as it relates to supporting risk management programs.
Maturing internal audit units
Institutions subject to the FDIC’s heightened standards would be required to mature their third line of defense — internal audit — to ensure the effectiveness of their risk management programs. Maturation would entail complete and current risk registers and risk assessments for all businesses, products and functions. All audit plans — including information security audit plans — should be driven by the assessed risk.
The audit would be required to assess the adequacy of and compliance with policies, procedures and processes for both the first and second lines of defense. It is also responsible for assessing the design and effectiveness of the risk management program. Institutions of all sizes can examine their audit scopes to ensure that the risk management program is being assessed in the same way technical compliance with regulations and internal policy is assessed.
Audits are an opportunity to learn new best practices and get guidance on where the program(s) need to grow and evolve. Institutions with asset sizes below the heightened standards cutoff can benefit from using firms that also audit larger institutions that have risk management programs that align with the proposed guidelines. These firms can provide guidance and insight that will lead to better, more effective risk management programs.
There are actions required out of larger, more complex institutions that would not be appropriate or feasible for smaller institutions in light of resource constraints and other factors – like conducting a formal root cause analysis on each identified deficiency. While it may not be feasible to all, there is no harm in understanding the impact of a deficiency and how effective the resolution was – albeit more informally. Without these understandings, senior leadership may fail to properly communicate the true issue leaving governing bodies unable to properly oversee the program. As with anything discussed here, the depths and formalities should be commensurate with the bank or credit union’s size and complexity.