Cybersecurity – The New Challenge for Banking Compliance Professionals
Traditional thinking has it that cybersecurity and the safeguarding of personal information and sensitive business data fall in the realm of a bank’s IT security professionals. But as regulators and financial services examiners make cybersecurity a top priority, compliance professionals need to take responsibility for implementing a cybersecurity compliance program that will support and drive the efforts of IT security functions and meet regulator and consumer expectations.
A cybersecurity program that will safeguard data and withstand the scrutiny of banking regulator exams requires strategic leadership, ongoing guidance, and oversight from the compliance department. IT security professionals excel at implementing technical solutions to safeguard data, but compliance professionals possess the proper training, background, and skill sets to understand applicable regulatory requirements and translate them into controls and programmatic components that IT professionals can operationalize. Compliance professionals’ talents and skills are integral to overall cybersecurity risk management, including the development and ongoing oversight of policies and procedures, training, and program monitoring. A partnership – or at a minimum an ongoing, productive communication between the IT and compliance departments – is a necessity in a global financial services world dominated by digital data.
Regulatory Developments Driving Cybersecurity Compliance
UDAAP and Cybersecurity
The pressure on the compliance function to play an integral role in cybersecurity program development has been increasing as regulators have sharpened their focus on cybersecurity as a priority item on their enforcement agenda. There are strong indications of future enforcement actions, particularly in the aftermath of the Consumer Financial Protection Bureau’s (CFPB’s) March 2016 order against an online payment platform for misrepresenting the state of its data security program. That action, brought under the Dodd-Frank Act’s Unfair, Deceptive, or Abusive Acts and Practices (UDAAP) provisions, closely follows in format and focus a substantial history of similar actions successfully brought by the Federal Trade Commission under the FTC Act. Like the FTC Act, UDAAP enables enforcement for deceptive acts (i.e., the type of misrepresentations alleged in the CFPB’s March order) as well as unfair acts, which are likely to include the absence of security appropriate to the types of data being collected and processed. The CFPB and other financial services enforcement agencies can be expected to continue to pursue actions under UDAAP, not only for alleged data security violations, but for alleged data privacy violations as well.
Examinations with a Cybersecurity Focus
As compliance professionals know, financial services regulators including the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), Federal Reserve, Securities and Exchange Commission (SEC), New York Department of Financial Services (NYDFS), and others, now include cybersecurity as a standard component of their examinations. These agencies expect that financial institutions will have made compliance with applicable cybersecurity requirements a priority for which responsibility begins at the board level. Guidance for the Federal Financial Institutions Examination Council’s (FFIEC’s) Cybersecurity Assessment Tool (CAT), for example, makes this responsibility explicit, advising that the board of directors should approve plans to use the CAT and review management’s determinations of whether the institution’s cybersecurity preparedness is aligned with its risks.
The FFIEC released the CAT in June 2015 to assist institutions in assessing and improving their cybersecurity programs. Specifically, the CAT provides institutions with a tool to ascertain existing inherent cyber risk and evaluate the program with that risk in mind in order to identify where responsive mitigating controls are needed. Although the CAT was published as a voluntary tool, agencies such as the FDIC, OCC, Federal Reserve, and others have either used or plan to use the CAT as part of, or as a supplement to, their exams. As such, compliance professionals need to become familiar with the CAT and engage their IT colleagues in order to ensure that the proper people, process, and technology controls are in place to meet examiner expectations.
State Breach Notification Laws
Financial compliance professionals should also be aware of the 47 state breach notification laws in the US. These laws require the reporting of certain types of data breaches to individuals whose information may have been accessed as part of the breach, as well as to state attorneys general and sometimes law enforcement as well. As has become very clear over the past decade, data breaches have debilitating brand consequences for financial institutions, which consumers expect to be trusted guardians of personal information.
A well-developed and effective incident response program is built with input from multiple stakeholders, and the compliance department needs a place at the table to assist in taking the requirements of the applicable breach notification laws and translating them into requirements, policies, and procedures. They should also play a role in the development of awareness exercises to ensure efficient and effective response to data incidents.
Action Items for Compliance Professionals
Assess Your Cybersecurity Program
With examiners focused on cybersecurity program effectiveness and expecting to review FFIEC CAT results, compliance professionals must be sure that cybersecurity effectiveness is evaluated and vulnerabilities addressed well in advance of an examination. They should liaise with senior leadership and the board to report on the state of the cybersecurity program and any newly implemented mitigating controls. Specifically with regard to executing the CAT, the compliance department has a key role to play, as there are numerous components dealing specifically with compliance-related issues such as program governance, policies, procedures, training, and program monitoring.
Build Cybersecurity Governance
Compliance professionals should play a significant contributing role in driving a cybersecurity governance structure tailored to their individual institution. Consideration in determining an appropriate governance structure should be given to the type and volume of data being stored and processed, sensitivity of the data, and numbers of individuals and entities with access to the data and/or the processing environment (both internal and third party).
Compliance department contributions will include working to determine appropriate top-down leadership, steering committees and – critically – interfaces between the legal and compliance functions, on the one hand, and IT leadership. The compliance department should engage directly with the institution’s IT security function to gain a clear understanding of existing and anticipated cyber threats in order to make appropriate contributions to components of the program such as incident preparedness and response plans.
A fundamental strength of compliance professionals is the ability to take regulatory requirements, translate them into policies that fit the context of the institution and its risk tolerance, and translate those policy requirements into standard operating procedures that inform staff of exactly what actions they are required to take.
Implement Programs that Change Mindsets
An important objective of the governance program is to make cyber-resilience a mindset throughout the organization and third parties with access to data or systems. This level of cultural change is gained not solely by developing policies and procedures, but by enabling covered individuals to truly understand what is at stake to the institution, its customers, and its employees and other stakeholders. Training is an important component, but ongoing communications and an awareness program are crucial to support broad adoption. Local cybersecurity “champions” can add a tremendous boost to attaining true cultural change. These champions are local resources who should possess requisite knowledge and skills or receive appropriate training in order to act as the onsite expert and “go-to” individual for cybersecurity questions.
In an environment of ever-present cyber risk and regulatory scrutiny, compliance professionals need to step up, adapt, and meet a new set of challenges. The compliance function continues to evolve and now plays a key role in building cybersecurity programs that meet or exceed regulatory expectations and business needs. In this new digital world, financial institutions’ compliance leaders must truly understand cybersecurity regulations and examination requirements and be prepared to demonstrate how well their organizations are complying and safeguarding sensitive customer and business information.