Page 11 - Winter 2025 - 2.pub
P. 11
Regulatory Compliance Is Not Enough:
Elevating Your Bank’s Cybersecurity
BY JASON CORDER
impacted devices if bank IT personnel do not respond right
For many bankers,
away. This means that management does not have to pin all
cybersecurity is a strange and
their hopes on the bank’s IT employees always being available
mysterious part of the banking and up to date on the latest cybersecurity threats.
universe. Technical-sounding
components, such as firewall While having an MDR or Managed Security Service Provider
configurations, intrusion (MSSP) is becoming the norm, we have never seen a regulatory
prevention systems, vulnerability exam report criticize a bank for not having such a service. This is
management, and encryption appropriate, though, because FFIEC guidelines do not require
levels, often perplex even the most this type of service, and making this type of recommendation is
seasoned banking professionals. not the role of the regulators. Instead, banks should engage a
While bankers may have a general competent and independent firm as their partner to assist in
knowledge of what these components are, reviewing and testing bank controls and environments. While
they often do not grasp them as deeply as they understand the this type of firm will work with the bank’s IT team, the firm will
primary areas of banking. work for the bank’s Board of Directors, which adds an extra
layer of objectivity and control. A competent consulting firm
I’ve observed senior bank officers easily discuss sophisticated
will review for regulatory compliance (the bare minimum), but
topics like debt service coverage ratios, debt repayment
the greater benefit comes from having a firm that understands
capacities, interest rate risk measurements (such as the
the risk/reward proposition of banking and assesses your
economic value of equity), and complex bond portfolio metrics, environment for the latest best practices in IT and cybersecurity
then mentally hang up the “Do Not Disturb” sign when the
controls. Having a partner like this, along with involvement
conversation shifts to their bank’s cybersecurity. It’s entirely
from an engaged management team, can help a bank to better
possible that they feel comfortable doing this because they have
understand and ultimately reduce its cybersecurity risk.
received good results on their recent regulatory exams. There
may be an assumption that “the folks in IT are doing a good job” Jason Corder is Senior Vice President with Sawyers & Jacobs LLC,
because the bank got a One or Two rating on its IT exam. a consulting firm focused on serving financial institutions.
However, this assumption could be a significant mistake. Sawyers & Jacobs is an ACB Associate Member. Jason may be
reached at 901-828-1942 or jcorder@sawyersjacobs.com.
Our firm’s chairman, Jimmy Sawyers, often states:
“Because innovation always outpaces
regulation by at least two years, waiting on a
piece of paper from the government to tell
your bank what to do regarding cybersecurity
is a surefire recipe for disaster.”
Being in compliance with regulatory guidelines is not the same
as being safe and secure. The process for updating regulations
can be slow and cumbersome, whereas the threat landscape
moves rapidly and is constantly changing. Additionally,
regulations frequently fail to address or require the best
practice activities that are becoming necessary to protect your
bank’s environment.
For example, does your bank have 24/7 monitoring of your
environment through a Managed Detection and Response
(MDR) provider? This is not required by regulation. However, if
a bad actor is on your network today, how would you know?
What happens when your bank’s IT employees sleep, go on
vacation, or step away from their phones or computers? An
MDR provider gives banks an advantage because they can
monitor the bank’s network and have the ability to quarantine
Arkansas Community Banker | 11 | Winter 2025
