In June of last year, the Federal Financial Institutions Examination Council (FFIEC) announced the creation of the Cybersecurity and Critical Infrastructure Working Group. One of the group’s responsibilities was to raise the awareness of community financial institutions with respect to cybersecurity risk. One of the main factors that led to the cybersecurity focus was the growth in the number of cyber-attacks and the complexity of the attacks that were occurring. Another factor that was considered was that community banks generally lack the same technical security resources of larger more sophisticated banks, and would need the regulatory agencies to offer more guidance and support.
To assist in raising awareness and providing guidance, the FFIEC has initiated a pilot program to assess more than 500 community institutions by state and federal regulators as part of their regularly scheduled safety and soundness exams. Early reports have noted that any findings uncovered during these assessments may indeed be included in the bank’s examination report.
The data gathered from the cybersecurity assessments will be used in part to help understand the risk management maturity level of community banks from a cybersecurity perspective, and will help mold future guidance and supervisory programs.
What Is the Scope of the Cybersecurity Assessments?
FFIEC guidance on the matter has shown that the published scope of the assessment is somewhat broad in nature. The complexity of the institution’s information systems will be taken into account, and the examiners will be looking at the following high-level areas:
- Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
The FFIEC guidance also hints that the content behind the cybersecurity assessments is nothing new and that financial institutions should not expect to have new expectations or an additional examination rating.
How Should My Bank prepare?
There are quite a number of different things financial institutions can do to prepare for cybersecurity assessments. We recommend starting with an established framework and tailoring that framework to fit your organization. While there are many different available frameworks, we will illustrate one. For example, take the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. This is a newly established framework that helps organizations lay the groundwork for managing cybersecurity risk. While the framework is very robust and likely overkill for many community financial institutions, there are certain elements within the framework that could be adopted, no matter the size. The framework was not intended to be a one-size-fits-all approach for managing cybersecurity risk and is meant to be business-driven and tailored.
The framework details specific functions, sub-functions, and even controls that organizations need to consider in managing cybersecurity risk. These functions at a high level are as follows:
The NIST Cybersecurity Framework is also a valuable tool because it takes many other frameworks into account and suggests leading guidance from other frameworks to complement itself. For instance the framework references the following “Informative Resources”, Control Objectives for Information and Related Technology (COBIT), Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC), certain ANSI/ISA standards, certain ISO/IEC 27001, and more.
Whatever the framework your financial institution chooses to implement, ensure that third-party relationships are considered as part of the process and your audit committee and board are involved in the oversight of any cybersecurity activities.
For more information on how Schneider Downs can assist you or your company with implementing a cybersecurity framework, contact Eric Wright at 412-697-5328 | firstname.lastname@example.org or Dan Desko at 412-697-5285 | email@example.com.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.