According to a 2020 IBM study, the Finance and Insurance sector was the most targeted vertical for four straight years, making up 17% of all attacks on the top ten industries. With a disproportionate slice of the cyberattack pie, it’s critical for the financial industry to take appropriate action to protect its clients’ personal and financial information as these trends are likely to rise.
This is where regulating bodies come into play. If you work for a financial institution, you can probably remember your first few days on the job and the alphabet soup of acronyms that were thrown your way. Some of the most commonly referred to were probably the FDIC and OCC…and for good reason. These two organizations hold the keys to your success.
Today, we’ll break down the ABCs of the FDIC and OCC, how you can comply with their regulations, what happens if you don’t, and how to mitigate internal and external risks to ensure you dot your i’s and cross your t’s when an inspection rolls around.
A Brief History of Regulating Bodies
FDIC
The FDIC, short for the Federal Deposit Insurance Corporation, was founded at the tail-end of the Great Depression in 1933. Their mission was to help Americans trust the nation’s financial system through insuring deposits, supervising and examining financial institutions for operational safety, and protecting customers when their institution fails.
The FDIC supervises and examines more than 5000 US financial institutions annually for compliance and frequently updates its guidelines to help organizations identify and mitigate risks based on current trends and data from other government organizations.
OCC
The Office of the Comptroller of the Currency (OCC) was created by President Abraham Lincoln in 1863 when he signed the National Currency Act into law. It is another organization that strives to ensure federal savings organizations and national banks comply with applicable regulations to provide their customers with fair access to financial services.
The OCC is also the primary regulator for banks chartered under the National Bank Act, as well as, federal savings organizations chartered under the Home Owners’ Loan Act. They supervise 1,175 banks each year. The OCC works with the FFIEC to conduct assessments of their institutions’ security.
Since the dawn of the World Wide Web, both the FDIC and OCC have been watching the ways the internet has changed the security landscape. Gone are the days spent locking up a rolodex in the filing cabinet and ensuring only authorized personnel have the key. Now, the primary concern is protecting your institution’s online database, wireless transactions, and email communications.
Be Prepared for Your Compliance Review
Both the OCC an FDIC conduct examinations of their supervised institutions. These audits are conducted with limited notice to ensure organizations are sincerely in compliance at all times and not just in time for the auditor to show up.
When you hear the word audit, it may conjure up feelings of apprehension and fear, but it doesn’t have to be that way. Audits can feel like a big undertaking; however, if you continuously prepare documents as they come in, you can save a lot of time and more than a few headaches. The first step to audit preparedness is understanding which items each organization looks at.
The FFIEC works with the OCC and FDIC to conduct assessments. Luckily the FFIEC has plenty of resources to help you know what will happen when it’s time for them to assess your business. Here’s what you can expect when it’s time for your audit:
1. An Inherent Risk Profile
Your auditor will want to know if your organization is engaging in practices that put your clients’ information in imminent danger of being compromised. This first assessment will include evaluation of elements such as delivery channels, connection types, external threats, and other organizational characteristics. They will then assign your organization a risk level from least to most inherent risk.
2. A Cybersecurity Maturity Evaluation
The FFIEC will take a look at five different areas of your cybersecurity, otherwise known as domains. The domains are Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. They will look at specific criteria for each domain and give it a level of maturity, which measures how consistently the processes of your institution can produce the desired outcomes.
3. Interpreting Assessment Results
After the fact, your organization can look at the assessment data to identify areas needing improvement, as well as, affirm what is already being done well. This is the most crucial, unofficial segment of the assessment as you can then determine the best way to move forward and better protect your clients.
Another type of assessment by the FDIC is a Consumer Compliance Examination. Here are its main components, so you’re prepared no matter who shows up to evaluate your institution:
1. Pre-Examination Planning
This is the information gathering phase. The FDIC has their own records and databases to pull from, but they may also contact your organization to collect further documentation. Typically, you will receive a letter if the FDIC wants to more information from your organization.
2. Review and Analysis
This is the phase where your examiner evaluates your compliance management system for violations. The examiner focuses on gathering information to understand the complexity of the organization and determine the scope of the assessment. This is when the examiner puts feelers out for potential risks to focus on.
3. Communication of Findings
After you complete your examination, the FDIC will communicate its findings with you via a series of meetings and a report of the examination. Much like the third step of the FFIEC evaluation, this step is key in improving your future performance.
The Cost of Noncompliance
Being found in non-compliance is no joke. While there is a window of time to make many corrections after issues are discovered, there are some instances where consequences will be hefty and immediate. If you’re found to be in non-compliance with FDIC and OCC rules and regulations, you and your organization may experience any of the following penalties:
Further Investigation
If you’re found to be in non-compliance, your institution will likely be subject to further investigation. Often there will be plans to dig deeper into whatever the offending violation may be, resulting in formal agreements to take action, cease and desist orders, or even removal and prohibition orders.
Fines
Being issued a fine is one of the more common consequences when found in non-compliance of both FDIC and OCC regulations. Both individual employees and institutions may be responsible for the payment of said fines, depending on the nature of the compliance violation.
Heightened Risk of a Data Breach
At the end of the day, these regulating bodies are here to help prevent security risks, including cyberattacks. Given that the financial industry is disproportionately targeted by cyberattacks, there is also a disproportionate likelihood that your institution will become a target. The financial loss of a data breach can be substantial—a staggering $5.9 million in the financial industry.
Hidden Expenses
Client retention after receiving any of the above penalties will become increasingly difficult because, at the end of the day, clients will have lost significant trust in your organization when it comes to protecting their personal data and transactions. Furthermore, it’s also going to be difficult to hang onto star employees who don’t want to have their professional reputations sullied by remaining at a non-compliant bank. Keep in mind that hiring, onboarding, and training new employees can cost, on average, one-third of the employee’s base salary. It does not take long for those numbers to add up.
Risky Business
Now that you understand the ins and outs of an audit, let’s remember that the FDIC and OCC are here for a reason, not just to scare financial institutions into compliance. They also frequently communicate with other government organizations to identify new or intensifying risks for institutions, especially when those risks may be at the expense of the client. It’s important to check this information regularly so your organization can proactively mitigate the risks and ensure your clients stay happy and safe.
This year, the FDIC and OCC highlighted a heightened level of cybersecurity risk after consulting with the Department of Homeland Security. Here are a few of the most common ways cybersecurity security attacks can look at your organization:
- Phishing: The great equalizer of cyberattacks, anyone from the CEO to the nighttime security guard can fall victim to a phishing attack because they often look so convincing. These attempts usually come in the form of an email or text that appears to be from a known entity. If you see an email that appears to come from a colleague who would like you to click through an unfamiliar link, or from a known organization asking for account details, it’s always best practice to contact the individual or organization directly to confirm that this is email actually originated with them.
- Remote Worker Endpoint Vulnerability: Unfortunately, with the rise of remote work, there are many more opportunities for cyberattacks to fall through the cracks unnoticed. Employees may grow careless with their laptops or mobile devices used to work from home, leading to higher risks of physical theft and cyber attacks. Additionally, with many essential communications taking place over email these days, it’s also more likely that sensitive information will be included in those emails for the sake of efficiency, despite the rules or policies against it.
- A Distributed Denial of Service (DDoS) attack is when there is a malicious attempt to overwhelm a targeted network with a massive amount of traffic to disrupt service. This attack comes from multiple systems and locations, making it a massive pain in the neck to resolve, resulting in substantial time and resources lost in the process.
- Insider Threats: This can go hand-in-hand with remote worker endpoint vulnerability. We’ve said over and over again that human error is one of the leading risks when it comes to your security. Many employees might not even know that they are compromising the cybersecurity of your organization, but there are also instances of malicious intent.
Proactively Mitigate Risk
1. Educate Employees Early and Often
Educate your employees from day one about financial data security so they are aware of the requirements to keep clients’ data secure. Given the trend toward working from home this year, be sure to tailor your education for remote work. This includes sessions about how to appropriately handle phishing emails, keeping personal and company devices secure, and email etiquette to ensure that clients’ personal banking information is not compromised. Be prepared to measure the effectiveness of cybersecurity training programs so you can adjust over time.
2. Add Layers
The more layers of monitoring and security tools you can have, the better. One of the easiest to add is dual factor authentication. Dual factor authentication for both employee access and client transactions is a must. Financial organizations especially should use dual authorization when completing transactions. Additionally, make a habit of regularly reviewing network and system logs for suspicious activity so you can identify an issue before it takes on a life of its own.
3. Look Within
Like the adage says, “Keep your friends close and your enemies closer.” Unfortunately, many of your risks may already be lurking within the walls of your company. Disgruntled employees can pose a massive security risk, especially when it comes to managing client information and funds. Take a look at your company culture and keep a close eye on employees who may be showing signs of disengagement or disdain for their employer or other colleagues.
4. Have a Plan
Make sure you have an incident response plan in the event of the worst-case scenario. If your organization has an extensively tested incident response plan in place, you can drastically lower the overall cost of a data breach. Companies who did this lost on average only $320,000 during a breach, rather than the nationwide average of $3.92 million.
Overwhelmed by these requirements? LightEdge is here to help.
Here at LightEdge, we believe compliance shouldn’t be a headache. With our tailored Compliance as a Service (CaaS) solutions, we are here to help your organization prepare and pass your audit with flying colors.
Our team of experts will work with you to ensure that you are completely prepared for a compliance review before it happens so you can go about your day-to-day without losing sleep. Trust our years of expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support direct from LightEdge’s CISO.
