Interview the Expert
An Interview with W. Jackson Schultz
Lynne McCauley, Managing Director for The Spofford Group, recently sat down with W. Jackson Schultz, senior auditor with OCD Tech, to talk about the importance of cyber policies and compliance, some of the challenges smaller, community banks are facing when it comes to regulatory IT compliance, and the role of cyber liability insurance for banks and financial institutions.
Key Take Away
“If there were an area that I’d say needs enhancement though, it would be security awareness training. Creating a security aware internal culture is key to social engineering prevention. In my opinion, the human employee, or carbon-based vulnerability as I like to call them, is the largest ‘weakness’ within these institutions”
Q: What are regulators looking for in assessing bank IT risks?
Schultz: Currently, it seems that the regulators are as interested in cybersecurity as they are in vendor management. The focus seems to be entirely on the FFIEC cybersecurity assessment tool (CAT) and the way that vendors are risk-rated and tracked. The regulators are also interested to see if vendor due diligence materials are currently being maintained and reviewed. Finally, regarding vendor management, the examiners want to see alignment between vendor response times, in the case of a disruption, to the financial institution’s business continuity plan. This can be found in Appendix J of the Business Continuity Planning Booklet of the FFIEC IT Handbook.
Q: Where are you finding most banks have weaknesses?
Schultz: ‘Weaknesses’ is a bit of an unfair word for community financial institutions. Sure, these institutions don’t have as large of a budget as a multinational bank, but for their size and the amount of data they process, with the exception of a few outliers, they implement strong internal controls and work with knowledgeable vendors when they do not have internal expertise. If there were an area that I’d say needs enhancement though, it would be security awareness training. Creating a security aware internal culture is key to social engineering prevention. In my opinion, the human employee, or carbon-based vulnerability as I like to call them, is the largest ‘weakness’ within these institutions. As long as people continue to click on malicious links, these financial institutions will continue to be vulnerable.
Q: What are the challenges for the banks in staying abreast of current cyber threats?
Schultz: The challenge is really related to a few things. It’s definitely difficult for smaller-scale financial institutions to afford the talent that the big banks can, and that will put them a bit behind. With that being said, the information overload that they are expected to digest, a lot of times, can be incredibly overwhelming. Organizations like the financial services information sharing and analysis center, or FS-ISAC, are much needed in this industry. Sometimes, however, the information that is sent through their challenges is not comprehensible by the smaller institutions who have nontechnical staff. Finally, rigorous compliance requirements take a hefty toll on an institution’s budget, leaving them short on funds to invest in important areas related to cybersecurity.
Q: What is the role of an IT Security vendor in helping banks maintain IT security?
Schultz: At OCD Tech, the IT Audit & Security Division of O’Connor & Drew, P.C., our role is to ensure that financial institutions meet compliance requirements, while also discovering vulnerabilities and advising them on ways to enhance their security posture against an evolving threat landscape. We do this by performing an IT general controls review, a vulnerability assessment, a penetration test, and social engineering testing. Particularly for the institutions without staff who are incredibly knowledgeable about information security, this is valuable, because they don’t have time to monitor and stay up-to-date on emerging threats. We on the other hand, dedicate ourselves to staying one step ahead of the bad guys and working with our customer base to remain secure.
Q: We find most banks are purchasing cyber liability insurance but don’t always know what they are purchasing. What have been your findings with respects to cyber insurance?
Schultz: I couldn’t agree more. The cyber liability and insurance landscape is brand new, and is constantly changing. There are many different kinds of policies, and the type of coverage can vary from provider to provider. If it were me, I’d want an expert to evaluate my policy so that I know exactly what I’m getting, and precisely what’s covered.