Banking Exchange Magazine Logo

Regulators detail cybersecurity expectations

Community banks need to make cyber risk management ‘business as usual’

Regulators detail cybersecurity expectations

Bank regulators expect all banks to demonstrate critical cyber risk management in at least four areas: governance, threat intelligence, vendor management, and incident response and resilience.

This was the key message of a recent webinar presented by the Federal Financial Institutions Examination Council, which emphasized that midsized and community banks increasingly are targeted by cyber criminals. Approximately 5,000 CEOs and senior managers attended the webinar, FFIEC says.

“The financial services sector is facing high-impact, high-likelihood threats that will require better risk management. The topic of cyber security can be overwhelming, but getting a grip on these four concepts is a vital first step,” said Chris Olson, supervisory financial analyst for the Federal Reserve Board of Governors, during the presentation. “We need to integrate cyber risk management into business processes as a business-as-usual activity. Regulators want to see evidence that vendor risk is managed over the life of the contract, that threat intelligence is used to inform risk assessments, and, of course, that appropriate governance processes exist.”

Olson provided these key questions that CEOs and other senior managers should ask for each of the four areas:

  • Governance—How is the staff at my institution providing me with accurate and timely information about our risks and our ability to mitigate them, so that I can prioritize our resource allocations and inform the board of directors?
  • Threat intelligence—How is my organization identifying and monitoring cyber threats and attacks both to my institution and to the sector as a whole? How is this information used to inform my risk assessment process?
  • Third-party relationships—How are we managing the third-party relationship risk management life cycle at our institution to ensure that we are selecting the best third parties and identifying, monitoring, and mitigating the risk exposure for third parties?
  • Incident response and resilience—How often is my institution testing its plans to respond to a cyber attack? Do these tests include our key internal and external stakeholders?

FFIEC also announced a vulnerability and risk-mitigation assessment as well as regulatory self-assessment of supervisory policies that will be conducted later this year. The assessments will help the FFIEC member agencies make informed decisions about the state of cybersecurity across community institutions and address gaps and prioritize necessary actions to strengthen supervisory programs.

Click here for a copy of the webinar slides

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected]

back to top


About Us

Connect With Us


Webinar: From KYC to IDV

How three leading banks are utilizing cutting-edge
digital tools to onboard, win, and wow customers

Time/Date: June 23, 2021 11:00 a.m. ET

Digital adoption, already moving at warp speed, accelerated seven years into the future during the COVID-19 pandemic. As the number of bank branches continues to fall, with at least one study predicting all branches will disappear by 2034 (Fox Business) and foot traffic declining (Vox), today’s most innovative banks are charting a new, digital-first path to win over customers while increasing security, meeting KYC compliance requirements, and winning customers to drive revenue.

In this webinar, you’ll hear from John Baird, Founder & CEO of Vouched, Tyler Crawford, COO of Bankers Healthcare Group, Anand Sathiyamurthy, CPO of Flagstar Bank and Daniel Sheehan, Chairman & CEO of Professional Bank as they describe their vision for digital transformation and how customer expectations are changing to digital first. They’ll also explore how fostering an innovation mindset creates new ways to tackle complex KYC problems and allows them to quickly compete in new markets and win customers.


This webinar is brought to you by:
Vouched Logo