On Wednesday, August 9, 2017, the New York League of Independent Bankers (NYLIB) held their Summer 2017 Meeting. The evening featured Michael Flynn, an Information Technology Examination Specialist in the FDIC’s Boston Area Office, who discussed the cybersecurity risks and challenges currently facing the banking industry. Mr. Flynn has been with the FDIC for 24 years and began as a Field Examiner in the former Holyoke, MA, Field Office. Over the past five years, he has focused primarily on supervising technology risks at large, complex, and problem banks and technology service providers.

Mr. Flynn’s presentation highlighted the increasing and inherent risk due to the banking industry’s ever-growing dependence on technology. Mr. Flynn identified specific technology, organization, human, and physical risks to financial institutions, and ways that institutions could minimize those risks, conceding that cybersecurity attacks were a “matter of when, not if.” He stressed that institutions were responsible not only for minimizing the possibility of such attacks, but for implementing a plan to deal with their aftermath. Mr. Flynn emphasized that the FDIC’s focus in examining institutions’ IT and cybersecurity would be on their preparedness and risk mitigation efforts.

Mr. Flynn took numerous questions from those in attendance both during and after his presentation. For example:

• One attendee asked how to deal with the possibility of cybersecurity attacks on third party vendors and core service providers. Mr. Flynn explained, in response, that financial institutions could outsource tasks but not the responsibility, and that they needed to provide sufficient oversight of third party vendors and the vendors’ systems.

• Another attendee asked whether New York State’s new cybersecurity regulations (Part 500) were more stringent than federal regulations and, therefore, whether banks could put off implementing more aggressive systems until a New York State examination year. Mr. Flynn stated that, just because the FDIC did not have regulations that paralleled Part 500, did not mean that the FDIC held banks to a lower level of cybersecurity. Instead, he explained that he believed cybersecurity issues could be tied back to safety and soundness and that the FDIC expected cybersecurity diligence equivalent to that required under Part 500. Mr. Flynn added that the Federal banking regulators continue to discuss and review issuing cybersecurity regulations, but that he did not know if, or when, these regulations would be passed.

Thank you to Mr. Flynn for coming to speak with the NYLIB community!