How to do a cybersecurity risk assessment

As community banks increasingly rely on digital tools, cybersecurity risk also grows. But a cybersecurity risk assessment can help a community bank understand, control and mitigate such risk.

“Risk assessments are used to identify hazards that could negatively impact an organization’s ability to conduct business,” says Joel Williquette, ICBA’s senior vice president of operational risk policy. “They can be used to identify mitigating controls that result in reduced risk and are a critical component of risk management strategy and data protection efforts for community banks.”

Issues may occur in a community bank’s internal systems or in those of their third-party service providers. These run the gamut from ransomware, phishing and malware to data leaks and insider threats.

Luckily, gauging cybersecurity risk is similar to measuring other types of risk. You consider the likelihood of events, the impact on the organization and the effect of mitigating factors like new technology, updated processes and procedures, and employee training. Using a virtual private network (VPN) or implementing a firewall are just two examples of mitigating controls for the risk that modern banking introduces to a community bank.

Building a list of risks that need to be measured, mitigated, monitored and reported on is a first step to risk assessment and management, Williquette says.

“You can start from scratch by identifying a list of risks and grouping them by type or function, or you may inherit a pre-existing list or purchase a pre-constructed list and modify it to suit your needs,” he says. “Many IT operations are going to be similar to yours, so if it is in your budget to purchase a risk assessment tool, there are many to choose from.”

A substantial risk? Employees

As community banks become increasingly driven by technology, more of their employees and vendors access the web in their daily work. They remain as a substantial risk to cybersecurity. Employees and other internal actors account for about 20% of all cybersecurity incidents due to misuse actions, human error or because they lack the training, according to Verizon’s 2021 Data Breach Investigations report.

Training is critical to help employees understand the importance of robust cybersecurity practices. While community banks may have strong policies about use of emails, social media or other web connections, it’s important to have a positive, nonpunitive culture to encourage reporting of suspected incidents.

In 2020, due to rising numbers of online transactions and people working remotely during the COVID-19 pandemic, criminals have enjoyed myriad new ways to target individuals and organizations, Fintech News reported. Some of the statistics are shocking and unexpected: 80% of firms have seen an increase in cyberattacks, and 27% of attacks targeted banks or healthcare organizations.

Two kinds of risk assessments

The cybersecurity risk assessment process is not “one and done,” nor should it be reserved for examination prep.

Williquette says there are two basic types of risk assessments. One is for a specific individual purpose, and the other is a company-wide assessment to look at the global environment of systems and functions to evaluate overall risk. Individual product or service risk assessments would be done before making new purchases, significant system changes or upgrades, or before applying new mitigating controls.

“Individual risk assessments should be done regularly and not just yearly or only triggered by regulatory examinations,” he says. “They should be baked into your decision-making processes before decisions are made.”

These evaluations should consider whether a new solution or service can help reduce risks and justify its purchase. “Risk can also be used as a decision-making criterion to help select technologies with the lowest overall risk ratings,” Williquette says. “During a technology evaluation, be sure to focus on security-related questions, not just features and functionality.”

That individual risk assessment will be part of the overall analysis. “Company-wide risk assessments should include not only internal systems and bank functions, but also vendor relationships if there is a significant reliance on that vendor,” Williquette says. “They should be completed at least yearly, or as your bank’s appetite for risk dictates.”

Build a cybersecurity culture

Community banks should evaluate cybersecurity risk like any other risk, according to the Federal Financial Institutions Examination Council (FFIEC). “It is not simply the obligation of those employees in the server room, but rather an enterprise-wide initiative involving all employees. It is critical the board institute a corporate culture prioritizing cybersecurity,” the FFIEC said.

Williquette notes that regulators use a risk-based approach to the examination and oversight of banks.

“That is a great benefit for community banks and allows us to do different things based on the bank’s size and complexity,” he says. “Proactive risk assessments, including those for cybersecurity, are a cornerstone of that process. Community banks need to bake cybersecurity risk assessments and management into their day-to-day process to derive the greatest benefit.”