The Maryland Bankers Association included a session at their recent CFO conference that was a panel discussion where the three panels were all regulators. The Virginia Bankers Association had a similar session in the past. These are a great way to hear first-hand what the issues are that regulators want banks to pay attention to.
Compliance issues in general was one of the panelist’s main concern, For IT issues specifically, we heard that DR plans are often insufficient in their content. Occasionally (without quantifying how often), the panelist noted that a DR plan can be a canned product where you fill in the blanks, but the actual technical design and testing of the plan is poor.
The two other issues mentioned were vendor management and patch management. In both cases, the message was that the regulators want to see a well-designed program and actual execution of that program, rather than paying lip service to both.
Another of the panelists made a point to follow the FFIEC website, especially for the cybersecurity tools that can be found there. Other items mentioned were cybersecurity risks flowing from third party connections. The panelist mentioned what a great resource is the FS-ISAC web site.
My experience is that the panelists cannot speak for attribution, so names are not included, but the panelists represented both federal and state regulators. See www.mdbankers.com for more information.