The Federal Financial Institutions Examination Council (FFIEC) has established its priorities for the remainder of 2015 as a result of the recent FFIEC cybersecurity assessment pilot program. The pilot program looked at many facets of information security strategy at financial institutions, ranging from the role that vendors play in cyber threat management to internal incident response procedures and board involvement in cyber matters. The preliminary results of the pilot program, having evaluated more than 500 financial institutions, contained high-level observations intended to provide financial institutions with risk management discussion points to consider.
Key Recommendations from the FFIEC Cybersecurity Assessment Pilot Program
- Consider the inherent risk posture of the financial institution by understanding the number and nature of connection points to public networks
- Perform cyber risk assessments at the product level to determine what could go wrong. For example, attackers often will compromise customer PC’s, leading to stolen online banking credentials and potential ACH fraud.
- Ensure that senior management and boards of directors are engaged, informed and involved on matters of cybersecurity risks.
- Ensure that proper personnel in the financial institution have the appropriate resources and knowledge to gather information and become aware of cybersecurity risks.
- Consider external vendors and business partners and evaluate the level of exposure they bring.
- Routinely test the financial institution’s ability to detect, respond and correct a cybersecurity event.
The FFIEC’s priorities for the remainder of 2015 will vigorously focus on enhancing the cybersecurity posture of financial institutions, recognizing the heightened threat landscape. A key priority from the FFIEC is the introduction of a “Cybersecurity Self-Assessment Tool,” and other detailed guidance that will help financial institutions understand what they need to do to protect themselves from cyber threats.
FFIEC Guidance Relating to Cybersecurity Will be Applied to:
- Incident Analysis
- Crisis Management
- Policy Development
- Technology Service Provider Strategy
- Collaboration with Law Enforcement and Intelligence Agencies
While the tools and guidance are being developed, it is important that executives and boards remain apprised of cybersecurity issues and that they are involving key personnel internally and externally in developing risk assessments and control strategies to mitigate cybersecurity threats. Until the more detailed guidelines are available, financial institutions need to apply leading practices such as National Institute of Standards and Technology’s (NIST), Framework for Improving Critical Infrastructure Cybersecurity or the Securities Industry and Financial Markets Association’s (SIFMA) Small Firms Cybersecurity Guidance to promote effective risk mitigation and control strategies. In addition, it is equally important for financial institutions to keep a finger on the pulse of cyber threats and newly evolving risks by subscribing to threat monitoring sources such as the United States Computer Emergency Response Team (US-CERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC). These and other resources encourage collaboration and knowledge-sharing among financial institutions, since cyber criminals tend to be repetitive in their methods of attempting to breach security controls of financial institutions; therefore, collaboration is invaluable in order to mitigate these persistent cyber threats.
UPDATE: On June 30, the FFIEC released its Cybersecurity Assessment Tool. Read about how it can help financial institutions identify their cybersecurity risks and assess their preparedness in our recent insight article.