Regulation and guidance aren’t known for light reading. Long, dense, and detailed yet frustratingly vague, it takes a lot of focus to make it through to determine what it means to your institution.
Bankers don’t always get it right. Why not?
- They are busy/tired. Compliance professionals have a lot on their plates. Balancing new rules with enforcing old rules—all while the pandemic upends their personal lives—means mistakes will naturally happen.
- They don’t have the expertise. Whether they are new to compliance or a particular area of compliance, it takes a while to get a feel for interpreting rules and regulations. Going through the exam cycle a few times makes a big difference in understanding what regulators are really looking for.
- They see what they want to see. The human brain has a way of playing tricks on us. We tend to notice information that supports our worldviews and ignore information that doesn’t. It’s called confirmation bias, and it happens to everyone. If we’re really struggling with implementing a rule, it can be easy to interpret information in a way that suggests you’re off the hook (even if you aren’t). It’s basically wishful thinking, and it happens to even the best bankers.
Misinterpreting Cyber Guidance
Consider a recent cyber guidance for credit unions. A July update to the NCUA’s Supervisory Priorities for 2020 states “The NCUA has transitioned its priority from performing Automated Cybersecurity Examination Tool (ACET) cybersecurity maturity assessments, to evaluat4ing critical security controls.”
A compliance officer or CTO could be forgiven for falsely assuming they could skip out on the ACET and the FFIEC Cybersecurity Assessment Tool (CAT), but a careful reading of the rest of the document shows us that this is not the case. The CAT remains highly relevant.
Why? Let’s break it down.
NCUA IT Risk Pilot Program Asks about the CAT
In the same paragraph addressing the shift away from ACET, the NCUA announced it’s piloting an Information Technology Risk Examination solution for Credit Unions (InTREx-CU) similar to what’s used by the FDIC, Fed, and some state financial regulators to create consistency across regulators.
NCUA says the goal is to “identify and remediate potential high-risk areas through the identification of critical information security program deficiencies as represented by an array of critical security controls and practices.”
One of the many questions included on the FDIC’s InTREx profile is:
"Has the institution assessed its cybersecurity risk and preparedness in the last 12 months using FFIEC CAT, FSSCC Profile, NIST, or any other assessment tool?"
Why does InTREx ask about the CAT tool? It’s because the FDIC knows it’s aligned with the FFIEC IT Exam Handbook, the NIST Cybersecurity framework, and industry-accepted cybersecurity practices. While it doesn’t require the CAT, the FDIC’s examiners expect FIs to have used “appropriate tools, frameworks, or processes” to assess cyber risk and preparedness.
The NCUA guidance also directs CUs to the Cybersecurity Resources page of the NCUA website, which includes content regarding the Cybersecurity Assessment Tool.
What Does the NCUA Want to Know About Cybersecurity?
Like you, the NCUA doesn’t have unlimited resources. It needs to decide where to focus its time and attention during exams.
Rather than go through every line of the ACET, which was a reporting tool for the CAT, the NCUA is instead homing in on internal controls representing critical, high-risk areas.
They are essentially asking:
- Do you have internal controls for cybersecurity?
- Are those internal controls effective?
- What are you doing to manage your internal control framework?
To answer those questions, your FI needs to know its cybersecurity risks and priorities. If you don’t identify areas of risk and prioritize them by priority, you won’t know which controls are most critical.
How Will You Identify High-Risk Areas of Cybersecurity?
The gold standard for internal controls is COSO’s Internal Control – Integrated Framework. Many regulators have endorsed COSO, including the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, and the OCC which have “encouraged [institutions] to evaluate their internal control against the COSO framework." The National Credit Union Administration (NCUA) describes it as “the internal control framework most often cited” by credit unions.
COSO says effective internal controls have five components:
- Control environment. These are the “standards, processes, and structures” the board and senior management create to ensure internal controls are followed. These include oversight and responsibility, performance measures, and accountability.
- Risk assessment. Identifying and assessing risk and their impact on business objectives and their suitability.
- Control activities. Documented actions dictated by policy and procedure that ensure risks are mitigated.
- Information and communication. Enterprise-wide communication in all directions to ensure internal and external information is shared in a timely fashion.
- Monitoring activities. Evaluations to ensure the first four components are properly executed.
Essentially, key/primary controls are identified, weighed, and reviewed to understand residual risk better.
How can this be effectively accomplished for cybersecurity internal controls? I bet you know where this is going. The CAT tool helps management enhance oversight and management of cybersecurity by:
- Identifying factors contributing to and determining the institution’s overall cyber risk.
- Assessing the institution’s cybersecurity preparedness.
- Evaluating whether the institution’s cybersecurity preparedness is aligned with its inherent risks.
- Determining risk management practices and controls that are needed or require enhancement and actions to be taken to achieve the desired state.
- Informing risk management strategies.
By using the tool, FIs can determine cybersecurity risks and weaknesses so they know which internal controls to prioritize and then assess and monitor their effectiveness. When examiners come in looking to review specific internal controls, FIs should already know which controls will be of greatest interest to examiners and be assured that they are strong and align with the FI’s risk tolerance.
4 Tips to Avoid Misinterpreting Guidance
It’s easy to misinterpret guidance, but there are things you can do to avoid it.
- Doublecheck you’re using the most updated version. You don’t want to rely on an outdated guidance. Verify you’re using the most up-to-date regulation and guidance, especially when it comes to rapidly evolving areas like cybersecurity.
- If it’s too good to be true, it probably is. If you’re reading guidance and it’s making you really happy, step back, take a minute and re-read it again with a critical eye. If a huge regulatory burden was lifted or if the guidance was going to make banking simpler, you’d be hearing about it from banking media and your peers.
- Talk to your examiner. Your examiner wants you to succeed, and it’s wise to build a relationship with them. Don’t be afraid to reach out and talk to your examiner throughout the year when you’re confused by the nuance of guidance or regulation. They’ll appreciate that you’re dedicated to doing things correctly.
- Outsource interpretation. If you don’t have the time, the knowledge, and/or the desire to comb through regulations to understand what they mean, whether they apply to your FI, and how to implement them, that’s a task that can be outsourced as part of your compliance management system. When you leave it to experts, it can free you up to tackle other tasks.