Sign In
  • December 14, 2016

    Cybersecurity Risks: The Latest Guidance from Bank Examiners

    Recent guidance from bank regulators makes clear that cybersecurity risk assessments will be an increasing area of focus. Matt Rowe summarizes the latest guidance and how bank management teams can use it to mitigate cybersecurity risk at their institutions.

    Matthew D. Rowe

    The Office of the Comptroller of the Currency has indicated in a recent bulletin that its examiners will gradually incorporate a Cybersecurity Assessment Tool into its examinations of national banks and other institutions under its regulatory purview.

    Matt Rowe Matt Rowe, Minnesota 1997, is a shareholder in Ruder Ware’s Business Transactions Practice Group, where he concentrates in corporate finance and securities, mergers and acquisitions and related acquisition financings, and the representation of financial institutions in connection with regulatory and other matters.

    At the same time, the Federal Deposit Insurance Corporation issued a Financial Institution Letter informing banks of a Frequently Asked Questions document relating to the Cybersecurity Assessment Tool, which was recently issued by the Federal Financial Institutions Examination Council (FFIEC).

    While use of the Cybersecurity Assessment Tool is optional for banks, the recently-issued guidance makes clear that bank examiners will have an increasing level of focus on cybersecurity at banks of all sizes.

    Steps to Address Cybersecurity Risks

    The Cybersecurity Assessment Tool was issued in June 2015, and in its overview for chief executive officers and board members, the FFIEC indicated that boards of directors and bank management teams may want to consider, among other things, taking the following steps to address cybersecurity risk at their institution:

    • Developing a plan to conduct a cybersecurity risk assessment using the Cybersecurity Risk Assessment Tool
    • Establishing a target state of cybersecurity preparedness that best aligns to the board of directors’ approved risk appetite for the institution
    • Approving plans to address any cybersecurity risk management and control weaknesses
    • Implementing changes to ensure that the institution has achieved its desired level of cybersecurity preparedness
    • Monitoring cybersecurity risk on an ongoing basis.

    Questions and Answers About the Cybersecurity Assessment Tool

    In its Frequently Asked Questions document, released in October 2016, the FFIEC addressed a number of issues that had been raised by bankers and other interested parties relating to the Cybersecurity Assessment Tool. The FAQs make clear that use of the Cybersecurity Assessment Tool is voluntary, and that an institution’s management may choose to use the Tool or another risk assessment process to identify inherent risk and evaluate cybersecurity preparedness.

    That said, the FAQs summarize a number of benefits that an institution might see from using the tool, including the identification of factors contributing to the institution’s overall cyber risk and providing a framework for determining whether or not the institution’s cybersecurity preparedness is aligned with its inherent risk.

    As is often the case with regulatory guidance like this, bank management teams may want to give strong consideration to using the Cybersecurity Assessment Tool as a means of evaluating cybersecurity risk at their institutions, particularly in an environment where it appears there will be both an increasing level of regulatory scrutiny in this area and, given the continued influence and use of technology, an increasing level of cybersecurity threats.

    Need help? Want to update your email address?
    Contact Customer Service, (800) 728-7788

    Business Law Section Blog is published by the State Bar of Wisconsin. To contribute to this blog, contact Peter Trotter and review Author Submission Guidelines. Learn more about the Business Law Section or become a member.

    Disclaimer: Views presented in blog posts are those of the blog post authors, not necessarily those of the Section or the State Bar of Wisconsin. Due to the rapidly changing nature of law and our reliance on information provided by outside sources, the State Bar of Wisconsin makes no warranty or guarantee concerning the accuracy or completeness of this content.

    © 2024 State Bar of Wisconsin, P.O. Box 7158, Madison, WI 53707-7158.

    State Bar of Wisconsin Logo

Join the conversation! Log in to leave a comment.

News & Pubs Search

Format: MM/DD/YYYY