Given the current cybersecurity landscape, it is vital to have regular conversations with your directors about their IT and cybersecurity governance responsibilities, not just once a year but as an ongoing dialogue. Understanding Operational Resilience Through the Lens of Third-Party Systems You will want to ensure you have identified any systems for which it is difficult or impossible to build a redundant operational strategy (e.g., hosted core processor, SaaS-based LOS). Ensure your board clearly understands that if the provider is hard down for these identified systems, you are hard down, too. No one expects your bank to have a “backup” core processor, but examiners expect the board to know which systems or vendors present that risk. Of course, your board understands this for vendors like your core processor – but do your directors understand how your bank could be impacted if other vendors were to have an extended outage? Take your ATM or ITM vendor, for example. Last year, a regional service provider’s issue affected thousands of supported devices across hundreds of banks. What would you do if your ATM/ITM service provider has an outage that takes all your ATMs or ITMs offline? What is your process to respond to customers needing to transact with your bank if one of these services or vendors is unavailable? Has management discussed this with your board? Do your directors know which of your other vendors could significantly impact bank operations? And do they know how your bank would adapt to that situation? Elevating Vendor Due Diligence You already know you must be able to demonstrate how you assess your vendors and their controls. But are you looking at the complementary user entity controls in your critical vendors’ SOC 1 and SOC 2 reports? Are you reviewing each of those and ensuring your bank has the specific controls in place? This has always been an expectation, but recently, examiners are diving deeper and asking for more and better evidence that you regularly evaluate these risks. Cultivating IT Leadership In one specific bank, an examiner questioned the competence of the bank’s IT manager for the role. The examiner was concerned that the person had been doing that job for several years but had not kept pace with appropriate professional development. You should ensure your IT management staff have adequate expertise in the technologies your bank employs. That may sound simple, but if the board and senior management have little or no technology expertise, it may be difficult for the bank to effectively supervise the IT staff. You must ensure they continually update their knowledge and expertise as the cybersecurity landscape evolves. The concern is valid. Bad actors continually refine their attacks and improve their methods, and you need to expand your security approach commensurately. Systems and expertise that were adequate five years ago may no longer be enough to thwart a sophisticated attack. Your management team – and your board – need to understand that and be willing to address aging approaches that may be creating vulnerabilities. Conclusion As regulatory bodies intensify their focus in these areas, it is imperative that banks prepare for heightened scrutiny and view these examinations as a catalyst for strengthening their operational foundations. By prioritizing comprehensive business continuity planning, enhancing board oversight and rigorously managing third-party risks, your bank can not only navigate the complexities of the current regulatory environment but also lay a solid groundwork for sustainable growth and resilience. Milton Bartley President and CEO ImageQuest LLC info@ImageQuest.com Milton has more than 25 years of experience assessing and mitigating risks for regulated organizations. He serves as virtual chief information security officer for several client banks and as an active board member of the InfraGard Middle Tennessee Members Alliance. He also is active in the national InfraGard Cyber Finance Working Group. ImageQuest is an associate member of the Indiana Bankers Association. MAY/JUNE 2024 53
RkJQdWJsaXNoZXIy MTg3NDExNQ==