Bank executives and directors are getting another push to share cyber-security alerts with each other in a new report released this week by the multi-agency Federal Financial Institutions Examination Council.
During the summer of 2014, FFIEC members, including representatives of the bank regulators and Consumer Financial Protection Bureau, conducted a cyber-security assessment at more than 500 community banks to evaluate their preparedness and response capability. The new report, “FFIEC Cybersecurity Assessment General Observations,” draws upon that review to offer advice to executives and directors and urge improved information sharing.
Financial institution management is expected to monitor and maintain sufficient awareness of cyber-security threats and vulnerability information so they may evaluate risk and respond accordingly, FFIEC says. Management should also establish procedures to evaluate and apply the various types and quantity of cyber-threat and vulnerability information to meet the needs of their organization.
Questions management and boards should be asking, according to the guidance:
What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber-threats and vulnerabilities to our financial institution?
How is accountability determined for managing cyber risks across our financial institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?
What is the process for ensuring ongoing employee awareness and effective response to cyber risks?
What is the process to gather and analyze threat and vulnerability information from multiple sources? How do we leverage this information to improve risk management practices?
What reports are provided to our board on cyber events and trends?
What is our process for classifying data and determining appropriate controls based on risk?
What is our process for ensuring that risks identified through our detective controls are remediated?
How are we connecting to third parties and ensuring they are managing their cyber-security controls?
What are our third parties’ responsibilities during a cyber attack? How are these outlined in incident response plans?
In the event of a cyber-attack, how will our financial institution respond internally and with customers, third parties, regulators, and law enforcement?
How are cyber-incident scenarios incorporated in our business continuity and disaster recovery plans? Have these plans been tested?
FFIEC also urged financial institutions of all sizes to participate in the Financial Services Information Sharing and Analysis Center as part of their process to identify, respond to, and mitigate cyber-security threats and vulnerabilities. FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cyber-security threat and vulnerability information.
FFIEC also flagged a variety of guidance and government resources banks can consult regarding cyber-risk, including: FBI Infragard; U.S. Computer Emergency Readiness Team at US-CERT; U.S. Secret Service Electronic Crimes Task Force; FFIEC Information Technology Examination Handbook, Development and Acquisition; FFIEC Information Technology Examination Handbook, Information Security; FFIEC Information Technology Examination Handbook, Operations.
No comments yet