FIs anticipate more scrutiny of cyber risk from regulators. According to a study by KPMG, 80% of a large sample of senior US bank executives think that cyber risk supervision and enforcement will increase over the next 12 months. It’s the top factor by far among options in the survey that include data governance, financial risk management, and emerging technology risk. Regulators often argue that cyber risk should fit into an FI’s overall risk management framework, and supervisory exams include an inspection of information technology.

Federal rules on FIs’ cyber risk mitigation are complex. Regulators’ oversight of cybersecurity risk in the banking sector in particular is fragmented, according to the Congressional Research Service (CRS). The Gramm-Leach-Bliley Act covers data security measures by the banking industry most completely. Part of the law manifests in the Federal Trade Commission’s Safeguards Rule, which instructs FIs to “[d]esign and implement a safeguards program” and “identify and assess the risks to customer information in each relevant area of the company’s operations, including service providers and changes in the firm’s operations,” according to the CRS.

FIs are responsible to their primary federal regulator for cybersecurity risk: The Safeguards Rule is enforced by the bank and credit union regulators, according to the CRS. FIs have guidance to work from. The FDIC argues for certain policies and processes, including corporate governance, security awareness training, and patch-management progress to address cybersecurity risks. Part of success with a cybersecurity risk program, it also argues, is a board that competently oversees programs to protect data and technology and sets the expectation of a corporate culture consistent with the bank’s risk tolerance.

Effective cybersecurity risk management also requires senior leadership’s commitment, expertise in technology and operational risk, and attention to detail. A 2021 joint rulemaking, for example, requires a timely response to cyber incidents, including that an FI notify its primary federal regulator of “any significant computer-security incident” no later than 36 hours after it determines that an incident occurred. Effective cyber risk management also demands long-term planning and a holistic perspective on risk. The FDIC notes that “[a] sound risk-management program and corresponding controls will help mitigate the threat of cyberattacks” and that management must incorporate cybersecurity into the bank’s overall risk-management framework. FI boards of directors, take note.