DEFENSESTORM BLOG

Cybersecurity Risk 2024: Keeping Pace with Evolving Standards

Friday, March 29th, 2024

VIEW ALL INSIGHTS

Cyber security risk management solutions from DefenseStorm.

A proposed rule from the Federal Deposit Insurance Corporation (FDIC) will establish new regulatory standards and increase the focus of cybersecurity risk management and governance while bringing an expectation of faster response times and real-time remediation of deficiencies.

Increasing Scrutiny of Cybersecurity Risk

Now that we’ve reached the end of 2024’s first quarter, it’s important to keep in mind the pressing issues and challenges that financial institutions (FIs) are facing this year. Concerns like election scams and banking trojans in mobile apps are hot topics that specifically target FIs and can wreak havoc on cybersecurity risk and readiness plans. Institutions must be proactive in enhancing risk management and governance practices to ensure their program stays ahead of new and emerging risks and regulatory expectations.

The Federal Deposit Insurance Corporation (FDIC) has a proposed rule that will establish heightened standards for governance and risk management for banks with assets above $10 billion. While this doesn’t apply to smaller banks or credit unions, it creates new precedent for institutions who come in below that threshold. It was not too long ago that regulatory scrutiny and evolving standards focused on institutions with assets above $100 billion, and then $50 billion…and so on. This new wave of regulatory focus  puts a larger microscope on risk management and governance and brings an expectation of faster response times and real-time remediation of deficiencies.

Enhanced Scrutiny of Cybersecurity Risk

Enhanced scrutiny is centered on preventing systemic breakdowns within the FI to protect the institution’s safety and soundness. It also focuses on management’s ability to identify and mitigate risks in a timely manner and correct any areas of identified deficiencies. This increased intensity will require FIs to assess their current state of risk governance, including but not limited to cybersecurity risk management policies, systems of controls, data and systems infrastructure, and the institution’s corporate and risk governance structure. Even those not subject to these heightened standards should pay close attention to its directives.

Under FDIC’s proposed rule, covered institutions must be able to prove their ongoing assessments of risk at both the front line and independent risk management units are effective at strengthening risk management or reducing risk. Many community banks and credit unions have yet to formalize the three lines of defense. As mentioned before, the asset threshold for these types of guidance continues to shrink; thus, the writing on the wall is clear that this will become a standard risk management structure required of all institutions in the not-so-distant future. The three lines of defense model calls for three units for monitoring and reporting adherence to the risk management program. Front line units, aka business units, independent risk management (IRM), which is under the direction of the CRO, and internal audit make up the three lines. Both IRM and internal audit should have direct access to the board and relevant committees.

Implementing a Cybersecurity Risk Committee

Beyond formalizing the three lines of defense, institutions of all sizes should implement a risk committee. This committee is chartered to monitor the institution’s risk profile relative to the institution’s risk appetite and its adherence to defined risk limits. The risk committee should oversee the effectiveness of risk management and the three lines of defense including the front line’s compliance with policy and defined risk limits and oversight of the independent risk management function. FDIC’s guidance goes further than just a risk committee and calls for a specific cybersecurity committee if the institution’s risk profile warrants targeted oversight. Institutions should be asking themselves if their current governance structure allows for informed, in-depth consideration of risks and policies for cyber risk management.

One glaring focus of not just the FDIC’s proposed rule but also New York Department of Financial Services (NYDFS) 500 2023 amendment is the need for expertise at the board level. Part 500 exclusively covers cybersecurity and calls for the governing body to have sufficient understanding of cybersecurity matters to exercise oversight. The FDIC’s proposed rule is not cybersecurity specific like Part 500; however, it calls for diversity in experience to prevent knowledge gaps. Knowing that an obstacle to properly govern cyber risk within institutions is the lack of expertise at the board level, we can assume this is the motivation behind preventing knowledge gaps in an institution’s key governing body. This can be achieved with diversity in board composition, more frequent board training, or establishing focused committees for targeted oversight.

The point – YOU CAN’T GOVERN WHAT YOU DON’T UNDERSTAND!

The growing intensity of regulatory expectations means that FIs must be ready. Regardless of whether an institution is covered under the FDIC’s proposed rule, FIs need to begin implementing these heightened standards enterprise wide, especially in cybersecurity and information security programs as it has been an area of increased regulatory focus for some time. Ensuring strong cybersecurity risk management and governance programs are in place with information and cybersecurity, can prevent devastating events that would damage what could be a promising year. It’s said often – “I didn’t think it could happen to me” – and while that may hold true in selected instances, it’s always better to be prepared and be proactive in your defense. While these proposed heightened standards may not be appropriate for your current level of maturity, they should be the goal that your institution is working towards, as they will soon become the standards for risk management and governance at institutions of all  sizes and sophistication levels.

With DefenseStorm’s built for banking approach, institutions rest easy knowing they’re prepared for increasing regulatory scrutiny, have the right foundation for effective cyber risk management, and are well-prepared for 2024 and the future. Learn more about our integrated cyber Risk Assessment and Governance platforms, or contact our team of experts to find out how you can ensure you are truly Cyber Risk Ready.

Jessica Caballero

Jessica Caballero

Senior Product Manager - Compliance

Jessica Caballero, Senior Product Manager Compliance and Risk, CERP, CRCM. Jessica was an examiner for the Office of the Comptroller of the Currency (OCC). After leaving the agency, and also worked as both a banker and a consultant focused mainly on compliance and risk management. Since 2015, Jessica has applied her subject matter expertise to the creation of technology solutions that solve critical problems for financial institutions. At DefenseStorm, she leads product decisions specific to compliance and risk as a Senior Product Manager. Jessica earned her bachelor’s degree in business economics from Texas State University and achieved the Certified Enterprise Risk Professional (CERP) and Certified Regulatory Compliance Manager (CRCM) designations from the American Banker Association (ABA).