Banking: Efficiency and Effectiveness of Internal Controls

Banks today are “critically dependent on IT to conduct business operations,” notes the Federal Financial Institutions Examination Council (FFIEC). Given their level of exposure to hackers and other cyber threats, it’s more important than ever before for banks’ boards and senior management to understand and manage cybersecurity risks. 

Last summer, in an effort to evaluate financial institutions’ cybersecurity preparedness, the FFIEC piloted a cybersecurity examination work program (the “Cybersecurity Assessment”) at more than 500 community banks. Ultimately, the FFIEC will use what it learned to update its guidance to align with changing risks. But the agency’s “Cybersecurity Assessment General Observations” helps point banks in the right direction and provides questions for boards and management to consider as they assess their institutions’ preparedness. 

Is your bank well connected?

Inherent cybersecurity risk varies significantly across institutions, the FFIEC stresses. So your bank’s first step in evaluating its risk should be to examine its IT activities, including connection types, products and services, and technologies used.

Connection types include virtual private networks (VPNs), wireless networks, local area networks, file transfer protocol (FTP) and bring-your-own-device (BYOD) programs. Because each connection represents a potential entry point for cyber attacks, ask whether your bank really needs all of these connections and whether reducing the types or frequency of connections would improve your management of risk. For example, the risks associated with allowing employees to connect their own devices to the bank’s network may greatly outweigh the benefits.

You also should evaluate specialized cybersecurity risks associated with your bank’s products and services, such as Automated Clearing House (ACH) and wire transfer services. Criminals could possibly use stolen customer or employee credentials to commit wire transfer or ACH fraud.  

ATMs may expose your bank to ATM cash-out scams, and Web-based services may be vulnerable to distributed denial-of-service attacks. Evaluate as well other technologies your bank uses, such as cloud computing and mobile applications.

Risks of mobile banking apps

No bank can afford to ignore mobile banking. Many customers now demand the convenience of such services as remote deposits, mobile bill-paying and person-to-person payments — and the ability to perform them at any time and from anywhere on a smartphone or tablet. Mobile banking benefits banks, too, enabling them to expand their geographic reach without adding physical branches.

Before you introduce mobile banking services, though, it’s critical to understand and address the security risks. Because smartphones and tablets are more easily lost or stolen than laptop and desktop computers, mobile banking demands security measures above and beyond those commonly used for Internet banking.

For example, mobile banking apps should be configured so that passwords aren’t saved on the device. And multifactor authentication — using fingerprints or other biometric methods, for instance — can help prevent thieves from accessing customers’ accounts.

Are you prepared?

Once you have assessed your bank’s inherent risks, review your current cybersecurity practices and overall preparedness to mitigate them. The FFIEC urges banks to focus on five areas: 

1. Risk management and oversight. Set the “tone at the top” and build a security culture by routinely discussing cybersecurity issues in board and senior management meetings. Ask how accountability for managing cyber risks is determined and about the process for ensuring employee awareness of, and effective response to, cyber risks.
2. Threat intelligence and collaboration. How does your bank gather and analyze threat and vulnerability information? And how does it leverage this information to improve risk management practices? What reports on cyber events and trends does your board receive? 
3. Cybersecurity controls. What’s your bank’s process for devising and implementing preventive, detective, and corrective controls on its network? Do you review and update controls when your IT environment changes? Make sure that you have a process for classifying data and determining appropriate risk-based controls, and for ensuring that identified risks are remediated.
4. >External dependency management. Most banks’ networks are connected to third parties, such as service providers, business partners and customers. How is your institution connected to these third parties? Identify what your bank is doing to ensure that they’re managing their cybersecurity controls. And know their action plans in the event of a cyber attack. 
5. Cyber incident management and resilience. A bank should have documented procedures for notifying customers, regulators, and law enforcement of a cyber attack that affects personally identifiable customer information. Have you expanded your bank’s business continuity and disaster plans to cover cyber incidents? Do you test these plans regularly?

Strength in numbers

One of the most powerful strategies banks can employ in their fight against rapidly evolving cyber threats is to collaborate and share information with other institutions. The FFIEC recommends that institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center, a private-sector not-for-profit information-sharing forum. Information sharing improves your bank’s ability to identify, respond to, and mitigate cybersecurity threats and incidents. It also gives you access to the latest techniques for identifying vulnerabilities in your systems and enhancing controls.

© 2015