FDIC Could Lower Ratings, Fine Banks over Cyber Risk, Chairman Says

August 23, 2019  Jeff B. Copeland

The Federal Deposit Insurance Corporation (FDIC) that regulates half the banks and savings institutions in the U.S., will include cybersecurity risk in its inspections and may fine banks that suffer a breach.

FDIC Chairman Jelena McWilliams recently told CNN Business that “it’s something we are monitoring and making sure that the risk profile of the banks is commensurate to how much money they are spending and how good their defenses are…

“We would take a look at their cybersecurity…during the exam. If we find deficiencies in the exam…we would give them a list of those issues to fix and then we would monitor progress to make sure they have fixed them between that exam and the next exam. We may do like a spontaneous exam in the meantime.”

If the bank didn’t make the recommended mitigation and then suffered a breach “we would certainly have an FDIC enforcement action against that bank…including a fine and their management ratings…would go down.”  Low ratings could mandate an agreement between the bank and the FDIC to improve performance.

McWilliams’ statement is the latest in a series of warnings from financial regulators to institutions to not only control their cyber risk but to prove to regulators that, in McWilliams words, their risk profile is “commensurate to how much money they are spending.” That’s also the spirit of mandates from the Securities and Exchange Commission to public companies and the New York Department of Financial Services to its regulated institutions, virtually all national financial companies.

Many banks and other financial institutions have adopted the FAIR model and the RiskLens platform to meet these new demands from regulators. RiskLens customers in banking typically first run a top-five risk analysis to find which assets pose the most risk of financial losses, and from what kind of attack, then use the what-if analysis to model potential improvement from various security investments—all with reporting in financial terms that are defensible to regulators. Learn more in this blog post:

How I Analyzed the Top 10 Cybersecurity Risks for a Financial Institution (a Deep Dive)