Banking &
Financial Security

Ohio financial institutions face a multilayered regulatory environment. Banks chartered in Ohio are supervised by the Ohio Department of Commerce Division of Financial Institutions and federal regulators (OCC for national banks, FDIC/Federal Reserve for state member banks). Credit unions are supervised by NCUA. All are subject to FFIEC cybersecurity examination guidance, including the Cybersecurity Assessment Tool (CAT) and the IT Examination Handbook. Non-bank financial institutions (mortgage lenders, auto dealers, financial advisors) are subject to the FTC Safeguards Rule. Securafy delivers compliance programs calibrated to your specific regulatory framework and examiner.

FFIEC examiners assess cybersecurity maturity during regular safety and soundness examinations using the Cybersecurity Assessment Tool (CAT). The CAT evaluates your institution across five domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Examiners look for board-level governance (regular cybersecurity reporting to the board), documented risk assessments, tested incident response plans, vendor oversight programs, and evidence that identified risks are being mitigated. Weak programs result in Matters Requiring Attention (MRAs) that can delay merger and acquisition applications.

The FTC's updated GLBA Safeguards Rule (effective June 2023 for most requirements) added specific enforceable technical requirements for non-bank financial institutions: a designated Qualified Individual to oversee the security program; annual penetration testing; semi-annual vulnerability assessments; MFA for all personnel accessing customer information systems; encryption of customer information at rest and in transit; a secure development program; a written incident response plan; and annual board reporting by the QI. Institutions that were relying on the previous, more principles-based rule without specific technical controls are now out of compliance.

The top threats for Ohio financial institutions are: business email compromise (BEC) targeting wire transfers and ACH fraud — FBI IC3 reported $2.9B in BEC losses nationally in 2023; ransomware targeting core banking systems and loan origination platforms; credential stuffing attacks on online banking portals using breached username/password combinations; and supply chain attacks through third-party fintech and core processor vendors. Social engineering targeting bank employees with access to wire transfer systems is the primary attack vector for BEC. Securafy's email security and Zero Trust architecture address all four categories.

Securafy's FFIEC examination preparation includes: completing and documenting your FFIEC CAT across all five domains; gap remediation between your current maturity and your risk profile's required maturity; board reporting preparation (quarterly cybersecurity reports formatted for director review); vendor risk management documentation including vendor risk assessments and contract terms; incident response plan development and tabletop testing; and pre-examination mock review with findings report. Ohio banks and credit unions that engage Securafy prior to examination consistently achieve cleaner examination results and avoid the MRAs that slow down strategic initiatives.