When it comes to bank regulation, few people have a better handle on it than Bill Neville. He has been around banking for quite some time and certainly can be called an expert in bank processes. Bill was formerly the President of Finastra – North America, a multi-national financial technology firm. In that role, he worked with thousands of US Community Banks and Credit Unions providing software and online services.
Our recent conversation was eye opening. Bill sees an industry that has evolved over time to address a myriad of risks and opportunities, now on high alert. He views a banking industry that is witnessing a very significant risk and associated shift related to Cyber Security. That topic is at the top of the agenda for the FFIEC and State Regulators, as he feels it should be.
Regulatory audits appear to have three overriding priorities:
- Cyber Security / Intrusion Prevention
- Disaster Recovery
- Business Continuity
According to Bill, “The cost to a financial institution from a cyber security breach is practically immeasurable and raises the possibility that the institution may not survive the impact, which is the key driver behind this audit focus.” He continues, “These audits look for proof that the institutions and the service providers do EVERYTHING in their power to mitigate the risk associated with a Cyber Attack.”
Bill believes that regulators are expecting every financial institution to deploy the best people, the best tools, and the best processes against this threat and just “checking the box” will not do.
This is exactly where we, Threat Ready Resources, see both trouble and opportunity. Let’s start by looking at the trouble aspect: Cyber risk assessment focuses on three primary areas – Technology, Policies and Procedures, and People. Threat Ready focuses on the risk associated with People.
Employee mistakes are at the heart of most breaches. According to an IBM study, 95% (yes, 95) of breaches include human error. To date, employee cyber awareness training has not worked to mitigate this risk. According to a UMass study, fewer than 50% of employees are prepared for today’s cyber world. That is a risk that no bank can afford to take and that regulators will monitor with a sharper and sharper eye.
Regulators are being forced to look beyond whether training has occurred or not occurred. They will need to look at the qualitative aspect of the training and determine whether it is bringing about the necessary long-term behavior change. To be effective, employee cyber security training must create behavior that is as instinctive as putting on a seat belt or reaching for a fire extinguisher at the smell of smoke.
The “People Risk” may be the one area that is most controllable….if done correctly. Community Banks and Credit Unions can make a significant difference in this area BUT it takes more than buying some training tools. Effective employee behavior change means implementing year-round internal communications campaigns using the latest training methodologies and, like so many processes, it makes great sense to have the process managed by the pros, so the Financial Institutions can do what they do best…serve their customers!