State Banking Supervisors Clarify Cybersecurity Expectations for Nonbank Financial Institutions

Entities that offer financial services to businesses and consumers but do not hold deposits for their customers now have clear guidance on what they should be doing to protect their networks' customers from cyberattacks and cybersecurity incidents.

The guidance comes in the form of documents that state bank regulators use to conduct cybersecurity exams of nonbank financial services firms. The Conference of State Bank Supervisors (CSBS) publicly released the documents on Aug. 9, 2022, to raise awareness of cybersecurity issues for nonbanks and to clarify the CSBS's expectations for cybersecurity.

The CSBS is the national organization of banking regulators for all 50 states, the District of Colombia, and U.S. territories. The guidance is aimed at nonbanks, which are entities that do not hold deposits for their customers but do offer businesses and consumers financial services such as the provision of home or car loans, prepaid payment cards, money services businesses, or mobile payment services.

The exam procedures themselves contain a series of questions designed to assist state bank supervisory examiners in performing a high-level cybersecurity risk assessment of nonbank institutions in following areas: Audit, Management, Development and Acquisition, and Support. The Baseline Guidance is intended for smaller, less complex, and lower risk nonbank entities. The Enhanced Guidance provides additional questions and procedures for a more comprehensive review of larger, more complex institutions or institutions that have already experienced cybersecurity issues or incidents.

The guidance documents ask questions covering essential cybersecurity topics to determine whether the institution:

• Conducts internal or external audits and testing of its cybersecurity program;
• Maintains written cybersecurity policies and procedures;
• Has disaster recovery and incident response plans;
• Actively conducts monitoring and penetration tests;
• Has its senior management and board of directors supervise the institution's cybersecurity program;
• Has dedicated resources available to the institution's cybersecurity program;
• Has technical measures such as multi-factor authentication, firewalls, and encryption in place;
• Maintains inventories of devices and a network topography;
• Employs secure document-destruction and deletion policies and procedures; and
• Conducts cybersecurity risk management programs for third-party service providers.

The CSBS's exam guidance documents can serve as a useful roadmap for financial services firms – both fintech start-ups and more complex institutions – in developing and maintaining a robust and effective cybersecurity program. DWT's Privacy and Security team regularly advises financial institutions on cybersecurity issues and can assist firms in complying with state, federal, and international cybersecurity regulations.