The Spofford Group

Request a Quote!

What Community Banks Need to Know About Regulatory IT Assessments

by Leave a Comment

 

Interview the Expert

An Interview with W. Jackson Schultz

Lynne McCauley, Managing Director for The Spofford Group, recently sat down with W. Jackson Schultz, senior auditor with OCD Tech, to talk about the importance of cyber policies and compliance, some of the challenges smaller, community banks are facing when it comes to regulatory IT compliance, and the role of cyber liability insurance for banks and financial institutions. 

 

About the Interview subject : W. Jackson Schultz is a senior auditor with OCD Tech.  Jackson primarily works with community financial institutions to assist them in complying with federal requirements while also ensuring they have security best practices in place.  Prior to joining the firm, Jackson worked as a security consultant for a boutique consulting firm with a focus on financial institutions and HIPAA covered entities.  He has worked as an outsourced CISO, CTO, and has participated on audits in a variety of capacities.  He has earned his Certified Information Systems Auditor (CISA) designation through ISACA and is currently working towards his Executive Master in Cybersecurity from Brown University.  Email/www.ocd-tech.com/ http://ocd-tech.com/team/w-jackson-schultz/

About the Interviewer : Lynne McCauley assists clients with understanding their risk profiles and implementing insurance programs designed to maximize coverage and cost efficiency. In her 24 years in the insurance industry, Ms. McCauley has held a variety of roles, including Private Equity/Venture Capital and M&A Consultant, Financial Institutions Practice Leader and Financial and Professional Lines Practice Leader. She has also underwritten and brokered insurance solutions for publicly- and privately-held Banks, Investment Advisers, Hedge Funds, Private Equity, Venture Capital, Technology and Financial Technology clients. Ms. McCauley is a licensed casualty, life, health and accident broker in multiple states. She’s a member of the Professional Underwriting Society and 100 Women in Hedge Funds, and leads The Women’s Executive Roundtable. https://spoffordgroup.com/lynne-mccauley/

 Key Take Away

“If there were an area that I’d say needs enhancement though, it would be security awareness training.  Creating a security aware internal culture is key to social engineering prevention.  In my opinion, the human employee, or carbon-based vulnerability as I like to call them, is the largest ‘weakness’ within these institutions”

Q: What are regulators looking for in assessing bank IT risks?

Schultz: Currently, it seems that the regulators are as interested in cybersecurity as they are in vendor management.  The focus seems to be entirely on the FFIEC cybersecurity assessment tool (CAT) and the way that vendors are risk-rated and tracked.  The regulators are also interested to see if vendor due diligence materials are currently being maintained and reviewed.  Finally, regarding vendor management, the examiners want to see alignment between vendor response times, in the case of a disruption, to the financial institution’s business continuity plan.  This can be found in Appendix J of the Business Continuity Planning Booklet of the FFIEC IT Handbook.

Q: Where are you finding most banks have weaknesses?

Schultz: ‘Weaknesses’ is a bit of an unfair word for community financial institutions.  Sure, these institutions don’t have as large of a budget as a multinational bank, but for their size and the amount of data they process, with the exception of a few outliers, they implement strong internal controls and work with knowledgeable vendors when they do not have internal expertise.  If there were an area that I’d say needs enhancement though, it would be security awareness training.  Creating a security aware internal culture is key to social engineering prevention.  In my opinion, the human employee, or carbon-based vulnerability as I like to call them, is the largest ‘weakness’ within these institutions.  As long as people continue to click on malicious links, these financial institutions will continue to be vulnerable.

Q: What are the challenges for the banks in staying abreast of current cyber threats?

Schultz: The challenge is really related to a few things.  It’s definitely difficult for smaller-scale financial institutions to afford the talent that the big banks can, and that will put them a bit behind.  With that being said, the information overload that they are expected to digest, a lot of times, can be incredibly overwhelming.  Organizations like the financial services information sharing and analysis center, or FS-ISAC, are much needed in this industry.  Sometimes, however, the information that is sent through their challenges is not comprehensible by the smaller institutions who have nontechnical staff.  Finally, rigorous compliance requirements take a hefty toll on an institution’s budget, leaving them short on funds to invest in important areas related to cybersecurity.

Q: What is the role of an IT Security vendor in helping banks maintain IT security?

Schultz: At OCD Tech, the IT Audit & Security Division of O’Connor & Drew, P.C., our role is to ensure that financial institutions meet compliance requirements, while also discovering vulnerabilities and advising them on ways to enhance their security posture against an evolving threat landscape.  We do this by performing an IT general controls review, a vulnerability assessment, a penetration test, and social engineering testing.  Particularly for the institutions without staff who are incredibly knowledgeable about information security, this is valuable, because they don’t have time to monitor and stay up-to-date on emerging threats.  We on the other hand, dedicate ourselves to staying one step ahead of the bad guys and working with our customer base to remain secure.

Q: We find most banks are purchasing cyber liability insurance but don’t always know what they are purchasing. What have been your findings with respects to cyber insurance?

Schultz: I couldn’t agree more.  The cyber liability and insurance landscape is brand new, and is constantly changing.  There are many different kinds of policies, and the type of coverage can vary from provider to provider.  If it were me, I’d want an expert to evaluate my policy so that I know exactly what I’m getting, and precisely what’s covered.