2022 Community Bankers Symposium: Headwinds and Tailwinds
The 16th annual Community Bankers Symposium, held on Friday, October 21, 2022, focused on the headwinds and tailwinds affecting community bankers, with a special focus on the impact of cybertechnology and the risk of cyber threats banks face in today’s rapidly changing environment. The event was hosted jointly by the Federal Reserve Bank of Chicago (FRB Chicago), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Conference of State Bank Supervisors.
Julie A. Williams, executive vice president of Supervision and Regulation at FRB Chicago welcomed community bankers, senior policymakers, and experts to the symposium, and challenged the audience to consider, “How we can be diligent in the current cyber environment? How can we find new paths and innovation in community banking? Lastly, how are community banks doing?”
Charlie Evans, president and CEO of FRB Chicago, addressed the pressing topic of the current economic outlook: rising interest rates and inflation. Monetary policymakers are now significantly tightening policy to bring inflation back in line with their price stability mandates.
“I see the nominal funds rate rising to a bit above 4.5% early in 2023 and then remaining at this level for some time while the FOMC assesses how our policy adjustments are affecting the economy,” said Evans.
Inflation is expected to subside next year, so with those expectations and when reductions in the Fed’s balance sheet (known as quantitative tightening) are factored in, Evans said he expects the stance of policy to be at a place nearly equivalent to a real fed funds rate of 2%. He noted that this is far above the one-quarter to one-half percent estimated benchmark long run neutral rate.
Reducing inflation may cause some softening of labor market conditions. “However, ensuring low and stable inflation is a prerequisite for achieving the sustained strong labor market outcomes that bring benefits to everyone in our society,” Evans said.
The unemployment rate is currently 3.5% and is projected to rise to 4.4% by late next year and remain near that level until 2024 and 2025. While this does represent a noticeably softer labor market when compared to today’s level, Evans pointed out that these are certainly not recession-like numbers.
Cyber vigilance in the current environment: Keynote fireside chat
Retired admiral Mike Rogers, former NSA director and head of U.S. Cyber Command and the Central Security Services, spoke about the current state of cyber risks, including ransomware, faced across sectors and industries.
For most U.S. institutions and individuals, non-state criminal actors pose the biggest challenge—causing the explosion of criminal activity in cyber space over the past decade. Rogers noted that cyber-criminal activity and ransomware attacks impact all of us across every industry regardless of size and geographical footprint. While quantifying the scale of ransomware attacks precisely is difficult since most attacks go unreported, he pointed out that “it is estimated that cyber criminals will take in $1.5 trillion in revenue as we end 2022, and that figure could approach $5 trillion by 2025.”
This represents a challenge to the sustainability of cyber security and cyber resiliency efforts, as not all firms have the same financial resources for tackling this continuously growing problem.
Despite this seismic challenge, Rogers said he was encouraged to see government and the private sector partnering to combat these issues, as well as greater private sector responsiveness and government-led accountability for cyber performance. He noted that “we need to be collaborators, not competitors in cyber resiliency,” working together with industry groups, peers, regulators, and law enforcement as resources to help combat these challenges.
Rogers noted that for smaller institutions, finding the right partners to help combat cyber threats and managing vendors is a challenge, while their ability to be agile and react quickly to changes is an advantage of their small scale.
Lastly, Rogers emphasized transparency as an important way to improve management of cyber security and ransomware risks, noting, for example, that “companies that have paid the ransom can help prevent similar scenarios for others by sharing their experience.”
Innovation: Community bank trends and opportunities
Nathan Perry, associate deputy comptroller, OCC, moderated a panel of bank regulators from across the District. The panel featured Ric Brunskill, senior vice president, regional and community supervision, FRB Chicago; Karen Boehler, senior deputy comptroller, midsize and community banks, OCC; Chris Dietz, deputy director, Indiana Department of Financial Institutions; and Nicole Orlando, assistant regional director, FDIC.
Brunskill discussed the rising interest rate environment and the impact on banks across the District, particularly from increasing accumulated other comprehensive income (AOCI). He said that when evaluating the adequacy of a bank’s capital position, regulators generally prioritize other measures of capital rather than the tangible equity capital ratio, which can be significantly adversely impacted by rising AOCI. Other parties, such as the Federal Home Loan Bank, external rating agencies, and firms providing brokered deposits to financial institutions, may place more weight on the tangible equity capital ratio and this is something bankers should be mindful of, he said.
Boehler highlighted some community bank initiatives at the OCC. Notably, the OCC will reduce assessments against national banks beginning in March 2023. “Our review of the geographic footprint and degree of examiner travel during the Covid-19 pandemic found efficiencies in the OCC’s assessment structure,” she said. And “many impacted bankers shared they intend to use these cost savings toward investing more in technology or preventative measures against cyber risks,” she added. She also discussed the importance of an innovation strategy and noted that engaging with your primary regulator is an excellent first step when pursuing new initiatives.
Dietz discussed the overall strong credit conditions at community banking organizations across the District and highlighted several key asset-quality metrics, most of which compare favorably to the same measure immediately prior to the Covid-19 pandemic. Dietz noted that these are lagging indicators and bankers should be proactively identifying and working with their problem customers now in anticipation of possible economic headwinds. He discussed the importance of capital planning, performing stress-testing exercises, and having reasonable triggers in place to drive how capital is allocated and accumulated.
Orlando discussed the FDIC’s five key priorities for 2022, including strengthening the Community Reinvestment Act, addressing the financial risk posed by climate change, reviewing and modernizing the Bank Merger Act, evaluating crypto asset risk, and finalizing the Basel III capital rule.
Financial performance of community banks
Doreen Eberley, director, Risk Management Supervision, FDIC, discussed the persisting inflationary pressures, supply chain challenges, and labor competition. As a result of these factors, the industry is under stress and there are potential vulnerabilities in: commercial real estate values; other asset values and the potential for borrower strain; and interest rate risk and liquidity.
Eberley acknowledged that commercial real estate values are one of the largest single holdings on community banks’ balance sheets, noting that “the FDIC is focused on management’s efforts to identify and work with borrowers experiencing strains in the current rate environment due to rising rates and related changes to market demands.”
The FDIC is looking at interest rate risk and liquidity, which accounts for a significant amount of interest risk on banks’ balance sheets. “The funding pressures may increase for those banks that offer more wholesale [products] or are more rate-sensitive funding sources,” Eberley noted.
While liquidity is strong now, it could change if banks are forced to sell securities to cover losses, which may impact regulatory capital and market perceptions. Regulatory agencies are working together to monitor unrealized losses and actively engaging with institutions that have exposure.
Lastly, Eberley reiterated the criticality of cybersecurity risk management practices, which continue to be a high-priority focus of the supervisory program, including relevant safety and soundness standards, periodic guidance, alerts, and advisories technical assistance.
She further underscored that examination helps examiners focus on controls that bolster an institution’s effectiveness in the event of a threat. “Through FDIC Connect,” she said, the FDIC “will amplify messages from law enforcement and security agencies to inform banks and service providers of potential threats.”
Closing the cyber agility gap
Bob Maley, inventor, author, futurist, and chief cybersecurity officer at Black Kite, outlined ways to close the cyber agility gap. Maley noted that bad actors are focused on accessing an organization’s cybersecurity systems to determine vulnerability of their assets. Cybersecurity defenses should be designed to disrupt cybercriminals’ decision-making, by employing an OODA Loop strategy developed by the United States Airforce, which consists of four phases: observe, orient, decide, and act.
Today’s cybersecurity is failing because criminals are increasingly innovative, and many vendors are vulnerable and not classified as high risk, Maley said. Current regulations encourage a qualitative classification-based approach instead of a risk-based approach, he added, for identifying high-risk third-party vendors. Maley advised companies to employ a quantitative approach, thereby measuring risk in dollars rather than risk tiers.
Inherent risk should be redefined as vulnerabilities that would have the largest impact in the absence of controls. Maley said, organizations should ask, “what represents the highest risk today and the probable financial impact?” The cost of a data breach now averages $75.21 million, including so-called low-risk vendors, he said, but excluding those vendors, it averages a much lower $15.01 million. Seventy-four percent of incidents originate from third parties. The OCC advocates continuous monitoring based on vendor grading, but that has not proven effective against third party risk, Maley said, because vendors are so diverse and have different risk profiles.
Banks should assess the probable financial impact of a cyberattack in the next 12 months, according to Maley. Despite favorable community bank cybersecurity risk assessment scores, there were still 4,000 critical cybersecurity control failures reported this year, he said. Guidelines from both the International Organization for Standardization (ISO) and the National Institute for Standards and Technology (NIST) advise banks to replace their risk assessment model with Factor Analysis of Information Risk (FAIR) to develop a risk assessment process, Maley said. He noted that the international consortium The Open Group has developed an enterprise cyber risk taxonomy that should be incorporated into the cyber risk assessment process, based on what’s at stake for the bank.
To change the game, banks need to understand how a bad actor looks at them, Maley said. According to recent surveys, he added, vulnerabilities include a 67% chance of a ransomware attack and a 32% chance of insider threats. Ransomware attacks focus on vulnerabilities, including open critical ports, phishing domains, remote code execution, endpoint security, leaked credentials, company size, and email security, in the most vulnerable industries like banking. Closing those gaps, he said, will greatly reduce the likelihood of a successful ransomware attack. Staying agile, he added, should allow community banks to stay ahead of cyber threats and mitigate risk.
Cyber insurance: How much is enough?
Ben Zviti, managing director, Financial and Professional Products (FINPRO) and FI cyber-crime leader, Marsh & McLennan, provided his perspective on cyber insurance, including what is covered, what is not covered, the cyber insurance market today, and what factors are considered in assessing the adequacy of limits.
Cyber policies cover cyber extortion and ransomware, including the costs to pay ransom demands and for vendors to negotiate ransom. However, paying a ransom to anyone on the OFAC sanction list is not allowed, Zviti said. Any allegation that the bank failed to protect customer information or their network, he noted, would trigger a liability policy that covers defense costs and judgments.
Insurance carriers worry most about systemic risk and privacy regulations, Zviti said. Systemic risk is a widespread event where the insured is indirectly impacted by something that impacts many. The insurance company must pay a lot of claims when the insured is not even directly attacked, he said. The second most important worry for insurance carriers, he said, is privacy regulations. There is not a federal standard, but a few states have adopted some regulations. Operating or having a customer in one of those states requires that the regulations are followed, he said.
“The advent of ransomware has caused insurance rates to go up substantially over the last two years,” Zviti said, and bad actors know they can get paid up to the insurance limit. Financial institutions generally do a much better job of securing their systems, but insurance companies have still increased the costs due to other industries that are not as secure, Zviti said. The cyber insurance application is much longer than other types of insurance applications while the insurance company checks that a minimum number of controls are in place, he added. If a bank does not have controls in place, such as multifactor authentication, end point detection and response, encrypted backups, privileged access management, and email filtering and web security, the bank may not even get insurance, he said.
Zviti noted that it is possible that cyber insurance requirements could increase to include patch and vulnerability management, cyber incident programs, cyber awareness training, hardening techniques, logging and monitoring, end-of-life systems, and vendor risk management. He said that the more you can hit on these control elements, the better the outcome of the cyber insurance renewal.
As for the question of how much cyber insurance is enough, Zviti said organizations should perform a cost benefit analysis to understand the total cost of risk, the mitigating controls, and residual risk, then determine how much of that risk is transferable into the insurance market. He recommended asking the bank’s risk adviser for peer benchmarking to see what other banks of the same size and geo footprint are doing and then assessing the adequacy of the limits.
At the close of the symposium, Nathan Perry, associate deputy comptroller of Midsize & Community Bank Supervision at the OCC expressed his thanks to everyone who presented and attended. Perry confirmed the 2023 Community Bankers Symposium will be held on November 17, 2023.