That’s because it takes, on average, 233 days—about 8 months—for a financial services institution to detect and contain a data breach (source: Varonis).
This alarming trend is why banks must be regularly audited.
What Is A Bank Audit?
A bank audit is a formal process in which an independent accounting specialist reviews the services, systems, financial statements, and/or procedures of a bank, credit union, or other financial institution. Every financial service company must undergo audits regularly in order to comply with legal and jurisdictional regulations, laws, and industry standards.
For community banks, this means complying with the Gramm-Leach-Bliley Act, also known as the GLBA. The GLBA “requires financial institutions … to explain their information-sharing practices to their customers and to safeguard sensitive data.”
What Is An Exam?
In addition to an audit, another process banks could be subjected to is an exam.
Compliance audits are optional, proactive steps banks can take for cybersecurity protection. They are more comprehensive than an exam.
Exams are mandatory and are conducted by the state or the federal government. Each state has its own regulations, and federal regulations are different from those.
How Do You Prepare For An Audit?
One of the best ways banks can prepare for audits and exams is with the Cybersecurity Assessment Tool (CAT).
“In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness,” says the FFEIC.
The CAT looks at approximately 500 cybersecurity components and helps banks assess the controls they have (or don’t have) in place.
One of the ways it does this is by helping security professionals understand cybersecurity maturity across five domains.
What Is Involved In A Bank Audit?
Broadly speaking, the CAT categorizes security controls for compliance audits across five domains:
Cyber Risk Management and Oversight
Threat Intelligence and Collaboration
External Dependency Management
Cyber Incident Management and Resilience
Each domain looks at a number of cybersecurity risk assessment factors and components.
“Under each component,” the CAT tool says, “there are declarative statements describing an activity that supports the assessment factor at that level of maturity.”
Get Familiar With The 5 Cybersecurity Maturity Levels
In addition to the five domains, the CAT outlines five cybersecurity maturity levels, which ranges from the minimum expectations required by law to driving innovation within the industry.
Listed here are each maturity level along with an example of a control:
Baseline - Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. Banks must first meet all Baseline levels before moving up in sophistication.
Evolving - At least annually, the board or an appropriate board committee reviews and approves the institution’s cybersecurity program.
Intermediate - The board or an appropriate board committee has cybersecurity expertise or engages experts to assist with oversight responsibilities.
Advanced - Industry-recognized cybersecurity standards are used as sources during the analysis of cybersecurity program gaps.
Innovative - The board or an appropriate board committee discusses ways for management to develop cybersecurity improvements that may be adopted sector-wide.
Is Your Bank Prepared For A Compliance Audit Or Exam?
Now that you know more about the annual audit process, you’ll need to determine how best to complete it for your bank.
To complete the complex CAT, banks may consider working with an outside partner who has expertise in facilitating the audit and interpreting the exit notes for you.