June 12 — Given all the attention paid to “too big to fail” banks, it is tempting to think that, in the eyes of policy makers and the media, small financial institutions are “too small to matter.” But when it comes to facing cyber threats, the size of the bank has little relevance. Malicious actors will look for weak spots to exploit as easy entry into a network, regardless if the target is a small or large institution.
With smaller budgets and teams, it can be challenging for community banks to address cybersecurity and regulatory compliance demands to the same degree as the nation’s large financial institutions. How to approach cyber risk was the topic of an interview between two former bank regulators. Tom Curry, former Comptroller of the Currency, spoke with David Cotney, former Massachusetts Bank Commissioner, at a recent roundtable event for Massachusetts bank executives held in Boston. Curry is now a partner and co-chair of the banking practice at the Boston law firm Nutter, and Cotney is now regulatory director for CyberFortis, a cybersecurity firm.
Cotney: How would regulators in Washington, D.C. react to a large scale, systemic cyber incident affecting banks?
Curry: From a regulatory and public policy standpoint, it is essential that we demonstrate that the entire banking sector, regardless of size or charter type, is following a common approach, and that counterparties, public officials and customers view the sector as taking appropriate steps to deal with cybersecurity related issues.
At the Office of the Comptroller of the Currency, we were prepared to go forward with our own cybersecurity guidance and expectations for OCC institutions. It made more sense to get everybody working in unison on a common approach and a common framework for assessing cybersecurity vulnerabilities at the institution and system levels.
Cotney: Why are community banks in a unique situation when it comes to facing cyber risks?
Curry: There is a need to understand and address the fact that there is a divergence of exposure and risk within the banking system. This requires having a basic framework that could be applied to the smallest credit union and the smallest community bank, as well as to the largest service provider and the largest financial institution. That’s really what the development work of the Federal Financial Institutions Examination Council has been – to come up with a framework that can be applied across the board. It is also important to raise awareness at the institution level that this is a problem and that it needs not just the attention of a chief information officer, but also of the CEO and board of directors. Regulators, like banks, are in the risk management business. The risk management framework is a responsibility of the board and the CEO, and we need to emphasize that.
Cotney: If this is something that should be elevated, then what is the role of the CEO/board/senior management who lack cybersecurity expertise?
Curry: This is a basic risk management principle. The board’s role is to establish what the risk appetite framework is for the institution, a subset of which is cybersecurity. The board needs to articulate what risks they are willing to live with and what controls must be put in place. The expectation is not for members of the board to be technical experts. It is the board’s role to do an assessment of the institution’s cyber vulnerabilities and to require management to develop a plan to address them in a manner that is consistent with the risk appetite for the institution.
Cotney: As the head of the OCC you had to implement many new regulations required under Dodd-Frank. Now, there’s talk about deregulation in D.C. Should we assume that regulatory expectations will decrease in regard to cyber, or is this one area where regulatory expectations will increase?
Curry: Cyber risk is always going to be with us. If the financial industry is knocked out of commission because of an extensive cybersecurity threat or if there is a massive loss of consumer confidence in the system, financial institutions face potential ruin. It is also a national security threat because the financial services industry is a key part of our nation’s critical infrastructure.
One of the things the federal banking agencies launched before I left the OCC was an advanced notice of proposed rulemaking. Larger institutions and significant core service providers needed to be held to a higher standard. So, we put out an ANPR asking which direction we should take from a regulatory standpoint. My hope is that the agencies will continue the process, review the comments and put forward a proposal. The U.S. Treasury Department clearly recognizes the significance of the cybersecurity threat to the financial sector.
There is a real issue, one that we confronted at the OCC and FFIEC, with the scope of the Bank Service Company Act. It is critical for banks and the federal banking agencies to recognize the critical role that core service providers play in the cybersecurity ecosystem. There is a need to make sure that those critical service providers are appropriately supervised and where remedial actions are necessary, the agencies use their enforcement powers.
A big question is how far should the agencies extend their authority to supervise third-party service providers (TSPs)? The policy issue with the advent of cloud computing is: can you use the Bank Service Company Act to go into some of the biggest names in technology, where banks are increasingly using the cloud for core banking services, to actually assess what’s going on? There is another issue with cloud computing: namely business resumption. What happens if there is an interruption? What is your contingency plan? Are you able to resume business within a time period that meets regulatory and customer expectations? This is probably where legislative action may be required and is one of the biggest policy issues out there.
Cotney: Can a community bank – which individually does not have the power to influence the core providers as much as the larger banks – rely on the core to be assured of their cyber readiness, or is there more they need to do?
Curry: This is where third-party guidance from the agencies comes into play. Banks cannot say that their core service provider is handling this, case closed. They still have to monitor their core provider and other critical vendors. However, I don’t think it is realistic to expect a smaller community bank to do the same level of due diligence that is expected of a larger institution.
From my perspective as a regulator, I thought it was important to encourage and emphasize collaboration among community banks. I often would ask the policy and supervision folks at the OCC to rethink what their expectations are for small community banks. Otherwise, you’re putting added regulatory pressure on a smaller institution that increases costs and is probably not that effective in the long-term either. You do need some rules of the road – clarifications of what those expectations are – if you want to encourage some collective action by banks.
Cotney: Can you discuss a community bank’s ability to do due diligence on an organization like Equifax or a core service provider? It seems like they have little leverage.
Curry: The principles are sound in terms of what regulators expect from banks regarding third-party risk management; however, there is an issue of scale. As I mentioned, I have been a longtime advocate of collaboration. You need to give strong consideration to the benefits of working with your fellow community bankers in vendor due diligence if you want it to be effective. Otherwise, on your own, your staff are spinning their wheels doing similar third-party due diligence on the same vendors as your peers.
In terms of your contractual relations with the core service providers, there is a hesitancy on the part of regulators to insert themselves into that process. But collaboration is equally applicable here. You have stronger leverage if you act together, in negotiating optimal contractual terms.
From a supervisory standpoint, if serious issues exist the agencies are ready to place core service providers under enforcement actions and sharing the results of those Bank Service Company Act examinations with their clients. This is a major motivator for taking corrective action. The market has consolidated to the point where you don’t have the options of choice, and there is unequal bargaining power. But hopefully, you can level that by collaboration, both in negotiating and what you can do to satisfy yourself and regulators in terms of appropriate due diligence.
Cotney: What can a community bank do to prepare for the “inevitable” breach?
Curry: It goes back to business resumption planning. Hopefully, you have assessed what your vulnerabilities are and have taken a risk-based approach to addressing those issues. However, if a breach does happen, you should be thinking about what are your capabilities and what are your options? There is a lot of work being done in terms of mutual aid, such as Sheltered Harbor. Is there an ability for another institution to step into your shoes while you try to correct the damage from a cyberattack? This type of resiliency is what senior management and the board should be focusing on from a risk management standpoint.