From the: Winter 2021/2022 Newsletter

As we move into the final few months of 2021, financial institutions can turn their attention to some of the top emerging risks. When the Conference of State Bank Supervisors (CSBS) asked the Western Regional Regulators their most significant concerns in January 2021, the top concerns were cybersecurity, credit quality impacts from the pandemic, the potential impact from the end of consumer and SBA relief programs, and climate change.

Similarly, The American Bankers Association (ABA) Banking Journal discusses the impact of margin pressure from low interest rates, risks to commercial real estate, and cybersecurity as the top three risks facing banks in the coming years, along with compliance and operational risks as the industry continues to become more digital.

Information technology (IT) and cybersecurity have consistently remained a growing concern for bankers and regulators. IT Risk management efforts may be lacking in some banks; the Federal Reserve Board (FRB) noted that there has been an increased level of IT-related enforcement actions. Similarly, smaller community banks may be more challenged to attain sufficient IT expertise and resources.

Most states have stated there is increasing risk in IT, and many states are addressing the increased risk by expanding their IT examinations staff and training programs. The Washington Division of Banks continues to perform full-scope IT examinations as part of our safety and soundness bank examination program, and we maintain strong expertise in our IT examination staff.

Recent cyber threats that have required industry identification and mitigation efforts include the December 2020 SolarWinds breach and the zero-day vulnerabilities in Microsoft’s Exchange Servers. DFI also completes various levels of industry outreach when these events occur to notify our regulated entities and assess impacts and responses.

Cybersecurity incidents directly impacted a small number of Washington banks , but those banks took appropriate steps to mitigate the risk. To assess the full impact of potential future cyber events, banks should communicate with their third party vendors as soon as possible to determine their full exposure.

IT issues identified in the state of Washington have primarily been associated with third party risk management, IT audit and independent review, and IT governance. Managing third-party risk continues to expand because of the growth of digital banking and remote work arrangements. Institutions should increasingly assess where data is going and who’s managing it.

Further, banks may be overlooking risks of remote access because of the need to quickly expand remote access systems to their employees. An increase in remote users may result in a bank having less control over sensitive information, and institutions should proactively manage that added risk. Overall, bank management should continue to prioritize oversight of current and emerging risks, in particular the ever-growing risks in the cybersecurity space.