The Top Ways Banks Fail Their Cybersecurity Audits, and What You Can Do About It

by

March 8, 2024

Eric Durbin headshotFor more than 92 percent of the banking executives surveyed by the Conference of State Bank Supervisors, cybersecurity was their chief concern and investment area going into 2024. Yet, how often have you been disheartened by the number of cybersecurity remediations you get back from your annual FFIEC audit?

 

You’re not alone if you find yourself nodding along to that statement. As an MSP with a dedicated practice in IT for financial institutions, we’re frequently tasked with cleaning up a long list of citations for incoming clients who have just had their review for the Federal Financial Institutions Examination Council (FFIEC). Because the financial sector runs under uniform rules, we tend to see the same weaknesses and oversights emerge repeatedly.

 

What’s our advice for stopping this cycle? Let’s discuss how to avoid some of the most common cybersecurity traps for community banks.

 

Top Ways Banks Fail Their FFIEC Audit for Cybersecurity

 

When it comes to the average FFIEC audit, pass and fail really aren’t terms that auditors use. Still, every remediation they flag can cost your organization critical time, man-hours, and budget to fix. The quickest and cheapest route is always prevention.

 

What should you fix before the regulators step in? Based on our experience prepping for these audits year after year, here are the top seven ways we see clients failing in their cybersecurity audits.

 

#1— An Inefficient Vulnerability Management Program

 

It’s not enough to install your cybersecurity tools and hope for the best. Banks often fail to create robust procedures around vulnerability management, allowing little things to slip through the cracks. Over time, those minor procedural oversights can turn into open doors that hackers can march straight through.

 

Every vulnerability management program should include strong written policies that are strictly enforced. Specifically, we recommend that financial institutions:

 

  • Conduct thorough weekly scans of their systems and act on the reports generated
  • Monitor patching reports and have a protocol for addressing problems immediately, whether that’s done through that provider, an MSP, or internally
  • Identify end-of-life software and replace it before it creates compatibility issues for your whole system
  • Identify missing registry keys needed for the proper installation of a patch
  • Find unquoted service paths that leave applications vulnerable to unwanted system escalation

 

#2—Weak Succession Plans

 

Most community banks operate with lean IT departments. This is great for efficiency but leads to significant problems if there’s no backup when an employee is sick, on vacation, or leaves the job. If your department can only perform certain key tasks when a certain valuable employee is present, your whole system is vulnerable. It’s time to create redundancies in your internal processes, so you’ll ace your FFIEC audit.

 

For many financial institutions, the easiest path to that redundancy is working with an MSP. When you have an outside provider that’s handling disaster recovery, service tickets, and interfacing with your system vendors, you’ll never have to worry about your calls not being answered. Someone’s always on the job.

 

If you’re handling your IT service ticketing internally, have you doubled up so no one employee is solely responsible for key tasks? If you have a key person in senior leadership, who would be the next person to take their place if they choose to leave? Where are all your written policies and passwords? Who can take over your vendor relationships and licenses? What staff is responsible for onboarding and offboarding? Are there internal experts who understand how your code is written? If you can’t answer these questions, you’re leaving your system at risk.

 

#3—Inadequate Bring-Your-Own-Device (BYOD) Policies

 

In the age of remote and hybrid work, employees are accustomed to the ease of switching seamlessly between work and personal devices. Most banks have accepted this and have written BYOD policies. Yet, these policies are often creating unintentional vulnerabilities.

 

Because of the strict data handling standards imposed in the financial sector, bank employees cannot do many things on their personal devices, even if they’re safely logged into the company’s systems. Copy-paste, screenshotting, and downloading documents are some of the many common BYOD risks.

 

We are not suggesting that you prohibit working on other devices, of course. However, we do recommend that you disable certain features for employees who are working outside of company issued devices. Then, make sure BYOD safety is an important part of your employee security training program.

#4—Uneven security training and standards

 

How often do your employees get cybersecurity training? Do the rules apply equally to everyone? Are there certain employees whose security behavior is more closely scrutinized?

 

It’s not enough to have security procedures. They must be applied to everyone in the organization, regardless of how much sensitive information they handle. For our financial clients specifically, we stress the importance of enterprise-wide monthly cybersecurity training programs. These can be surprisingly easy to implement. There are many standardized programs which offer online learning modules that employees can complete every month. Most will have a testing module at the end so you can grade employees’ understanding of the material and create companywide metrics.

 

Eliminate the holes in your safety net and make regular cybersecurity training required for everyone.

 

#5—Weak Login Security for IT Admins

 

We see a shocking number of organizations without multi-factor authentication set for IT admins. Don’t be one of them. Your IT admins have more power to create havoc in your network than anyone else. Their login protocols should be more powerful, not less. If you have this security loophole in your organization, we recommend you close it fast. This was first seen through cyber insurance providers looking to limit risk, and now auditors are making the same recommendation.

#6—Failing to Run a Microsoft 365 Security Audit before your FFIEC Audit

 

Microsoft offers so many powerful self-administering benefits like continuous updates and patching. When it comes to your cloud services, it’s easy to sit back and let them do their thing. Yet, many banks don’t realize the vulnerabilities latent in the way their systems interface with Microsoft’s platform.

It’s the little things that make your network vulnerable on Microsoft’s platform: devices set to the wrong settings, incompatible extensions, or third-party programs that create conflicts,  for instance. If you don’t know what to look for, it’s easy to miss these common vulnerabilities.

That’s why we recommend financial institutions invest in a specialized Microsoft 365 audit every year. This can be added to existing audits or done as a completely separate process. Either way, it’s money well spent.

 

#7—Understaffed, Underpaid Internal IT Staff

 

Especially if you are working with an MSP, it’s tempting to keep a skeleton crew managing your internal IT department. We don’t recommend this, as system outages are entirely too devastating in banking. You need strong technical expertise to manage your systems and servers on your end.

 

For every internal process, you need employees with redundant skills who can cover for each other. You also need senior IT management with a grasp of the technical issues that will face your financial institution in the years to come. An MSP can handle the lion’s share of your execution and make strategic recommendations. But your internal IT staff is truly where the rubber meets the road. Treat them as such, and they’ll help you manage your vulnerabilities.

Your FFIEC Audit:  Preparation Is Key

 

If you’ve managed your risks successfully throughout the year, chances are good you’ll get through a third-party audit with few findings. The key is creating continuous processes to manage your vulnerabilities. Many institutions do this by having regular internal reviews and penetration tests before their audits begin.

 

Want to know more? Check out our recent articles on what to expect from your bank audit and how companies get security findings from policy/procedure mismatches. If you’d like an extra hand during your next FFEIC audit, we’d love to help. Just fill out this form, and we’ll be in touch!

 

Eric Durbin works at Integris as a vCIO and Strategic Account Executive in our Integris Financial Institution Division (FID). He's helped dozens of banks with all aspects of their IT infrastructure management, from maximizing productivity, to setting up cybersecurity safeguards, to preparing for regulatory reviews, and more.

Keep reading

The FFIEC Audit: What to Expect, How to Prepare

The FFIEC Audit: What to Expect, How to Prepare

The FFIEC audit is one of the most important—and labor intensive—regulatory burdens of the year for community banks. But you can make it easier on your IT department with the right preparation. Here’s how to stay one step ahead of the process: What is the FFIEC audit?...