Monday, October 1st marked the beginning of the 4th Quarter.  For many financial institutions, this means getting ready for activities such as preparing next year’s budget, completing the 3rd Quarter Call Report, dusting off the strategic plan, and preparing for upcoming Federal examinations and year-end audits. Monday, October 1st also marked the beginning of National Cybersecurity Awareness Month, commemorating the 15th year as an annual initiative to raise awareness about the importance of cybersecurity.  While cybersecurity issues should be routinely discussed in your Board and senior management meetings, National Cybersecurity Awareness Month serves as an important reminder of the need to identify, assess, and mitigate cybersecurity risks and threats.

4th Quarter 2018 and Beyond

The Office of the Comptroller of the Currency (OCC) released on September 25, 2018, its bank supervision operating plan for fiscal year (FY) 2019.  The first supervisory strategy highlighted was cybersecurity and operational resiliency, with an emphasis on maintaining information technology systems and the remediation of identified concerns. Whether your financial institution is regulated by the OCC or any of the other state or Federal agencies, managing cybersecurity risks must remain a priority.

Key Priorities

The following items should continue to be discussed at all levels of your institution:

  • Risk Management and Oversight:
  • Establish an enterprise-wide approach approved by the Board and formulate sound policies, procedures, and objectives. Executive management’s role to identify, mitigate, monitor, and manage cyber risks.
  • Threat Intelligence and Collaboration:
  • Improve your institution’s security posture, with timely monitoring of threat information and intelligence, and by sharing internally, as well as with outside partners, stakeholders, and peers.
  • Cybersecurity Controls:
  • Establish cybersecurity controls to identify, detect, protect, respond, and recover from cyber-attacks.  Document testing and evaluation plans that address and measure these controls for their effectiveness and efficiency.   
  • External Dependency Management:
  • Establish vendor and third-party policies and procedures, and rigorous controls that include ongoing due diligence and monitoring.
  • Incident Management and Resilience:
  • Establish an incident response policy and supporting procedures to improve your ability to respond and recover from a cyber event.


Cybersecurity attacks are not going away.  These attacks are causing billions of dollars in losses every year.  Congratulations to those institutions that have not yet been confronted with a cyber event.  However, do not rest on your laurels.  The old question that was asked is “If you will have a data breach” while the new question to ask is “When will you have a data breach.”

While National Cybersecurity Awareness month provides us all with a nice reminder, it is imperative to remember that cybersecurity awareness MUST be a daily part of everyone’s duties and requires companies not only to talk but to take effective ongoing action.

Bill Kane, Manager of Cybersecurity and Risk, has served as a Federal regulator and has more than 25 years’ experience.