Security of consumer information is a critical business objective for financial institutions, and the threat from cyberattacks is continuing to increase.
Cybersecurity is recognized to be a national security challenge that is not going away as cyber adversaries become more organized and cyberattacks become more sophisticated and persistent.
The reputational and financial losses due to cyberattacks has moved the topic of cybersecurity to an executive and board-level issue. Executive management and the board should be involved in the process of developing a comprehensive cybersecurity program and should take appropriate actions to address changing cyber risks.
To help evaluate cybersecurity preparedness and develop a comprehensive cybersecurity program, financial institutions should consider answering the following questions:
Are employees continuously reminded of their cybersecurity responsibilities and provided with annual cybersecurity awareness training?
Employees should receive annual cybersecurity awareness training that identifies current threats and vulnerabilities as well as techniques for mitigating them. In addition, financial institutions should have programs in place to continuously remind employees of their cybersecurity responsibilities, such as email campaigns, newsletter articles, and other awareness methods.
Are the network and devices adequately protected?
IDS/IPS – Financial institutions should have an intrusion detection system (IDS) and intrusion prevention system (IPS) that will help detect and prevent inappropriate, incorrect, or anomalous activity.
Antivirus – Antivirus software should be installed on all workstations and servers that are connected to the internal network or internet. The antivirus software should be configured to check for updated virus definitions on a regular basis, at minimum daily. A centralized antivirus management tool is recommended to help ensure that antivirus agents are not disabled by end users and virus definitions are updated on all workstations and servers.
Patch management – A patch management process should be in place that ensures critical patches are installed in a timely manner and security flaws are remediated immediately upon discovery. Centralized monitoring of patch management is recommended to help ensure that patches and updates are applied as expected.
Are strong password parameters enforced on the network and critical systems?
Strong password parameters should be enforced for all accounts on the network and critical systems. At a minimum, these parameters should require the password to be changed on the first login, set a minimum password length of eight characters, enforce complexity requirements and have account lockout after three to five invalid login attempts.
Are user accounts and their associated access levels on the network and critical systems reviewed regularly?
Financial institutions should perform a documented review of user accounts and their access levels to verify that accounts of terminated users are disabled and accounts of current users have appropriate access levels based on their job description. The review should be performed by a designated employee independent of administrative rights or by a group of employees.
Does remote access require dual factor authentication?
Dual factor authentication should be required for all remote access to financial institution systems. Dual factor authentication requires the user to present at least two of the following: something they know, such as a password or personal identification number (pin); something they have, such as a token; or something they are, such as biometric identification.
Is administrator-level activity on the network and critical systems reviewed regularly?
Administrator-level activity should be monitored on the network and critical systems to help prevent unintentional or unauthorized use of privileged access rights. A centralized event management tool is recommended to help ensure that administrator-level activity is immediately reported and reviewed by employees or a third-party vendor tasked with the oversight function.
Is critical data backed up regularly, at a minimum daily, and are backups tested?
The servers and workstations containing critical data should be backed up on a regular basis, at least daily, and the backups should be moved to an off‐site location to help prevent data loss due to cyberattacks. In addition, backups should be tested on a regular, at least quarterly, basis to verify that backups are functioning as expected.
Is confidential information encrypted when it is sent outside of the financial institution's network?
Encryption should be used when transmitting confidential information outside of the financial institution's network.
This is not an all-inclusive list of suggested cybersecurity controls, but rather the baseline of controls that financial institutions should have in place. Additional controls and policies should be in place to help address your financial institution’s specific operations.
If you have questions on or need assistance with your cybersecurity program, please contact your Wipfli relationship executive.