Coined by Ronald Reagan and probably one of the ten most dangerous phrases in the English language is “I’m from the government and I’m here to help.” When it comes to assisting financial institutions with developing a cybersecurity strategy, this may not be exactly the case but close.
It’s no secret that cyber threats continue to increase. The bad guys will go where the money is. But you can’t develop a cybersecurity strategy if you don’t know what you are up against. So where do you go for help to understand the evolving threats and how to mitigate them based on your risk profile?
Fortunately, there is help for financial institutions. The Federal Financial Institutions Examination Council (FFIEC) and other agencies are providing assistance. The FFIEC has created a website specifically for promoting Cybersecurity Awareness: www.ffiec.gov/cybersecurity.htm. The purpose of the website is to help management and directors of financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions. The website is updated as new FFIEC resources become available. You should consider this as a starting point for developing your cybersecurity strategy.
What Cyber Threats Are Relevant to Your Financial Institution?
The FFIEC is encouraging financial institutions of all sizes to participate in the FS-ISAC as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities. While the FS-ISAC has been around for a while, it has gotten little attention until recently. The FS-ISAC is a nonprofit, informationsharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. You can find FS-ISAC at www.fsisac.com.
Also, consider other data breach intelligence resources such as the Symantec Intelligence Report. This monthly intelligence report provides the latest analysis of cybersecurity threats, trends, and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. And don’t worry about it being too technical for your Board of Directors or IT Steering Committee—it contains many charts and graphs to get the point across. Other data breach intelligence can be obtained from Verizon (Verizon Databreach Investigations Report), Microsoft (Microsoft Security Intelligence Report), and the SANS Institute (weekly NewsBites emails). You can use your favorite Web search engine to download or subscribe to any of these information-sharing resources.
How Well Is Your Financial Institution Protected?
The FFIEC has also provided financial institutions with a Cybersecurity Assessment Tool. The tool provides your institution with a repeatable and measureable process to inform management of your institution’s risks and cybersecurity preparedness. By completing the assessment, you can determine whether management is taking appropriate steps in relation to the risk. If not, your institution may take action either to reduce the level of risk or to increase the levels of maturity.
Educating the Board of Directors and Other Key Stakeholders
So how do you get your Board of Directors, officers, and other key stakeholders involved in developing and implementing a cybersecurity preparedness plan? It is their responsibility to define the risk appetite and direction, oversee the development and maintenance of the plan, and provide ongoing monitoring of the institution’s exposure to and preparedness for cyber threats. For many financial institutions, this can be a challenge. Fortunately, several new tools, including short videos, were released by the FDIC (FIL-55-2015) to help increase cybersecurity awareness— www.fdic.gov/news/news/financial/2015/fil15055.pdf. These resources include information specifically for officers and directors of financial institutions regarding the importance of cybersecurity. Both videos can be completed in approximately one hour.
- The first video introduces the two-part series and covers the evolution of data security, defines cybersecurity, and reviews the current cybersecurity threat environment.
- The second video in this series reviews the components of traditional Information Security Programs (ISPs) and discusses how elements of the ISP should be refocused in the current cybersecurity threat environment. The video includes coverage of threat intelligence, third-party management, cyber resilience, and incident response programs. The video also provides a brief overview of the Cybersecurity Assessment Tool and includes resources to consult for additional information on cybersecurity risks and risk management processes.
The FDIC (FIL-55-2015) has created “Cyber Challenge: A Community Bank Cyber Exercise” to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions. Using seven unique scenarios, the Cyber Challenge helps start an important dialogue among management and staff about ways they address operational risk today and techniques they can use to mitigate this risk in the future. The Cyber Challenge is not a Insight Article © Wipfli LLP 2 regulatory requirement; it is a technical assistance tool designed to help you assess operational readiness.
You will be seeing more information to help you establish a cybersecurity preparedness plan coming from the FFIEC and other regulatory agencies. Expect updates to the FFIEC IT Examination Handbooks. The FFIEC has also indicated that it will be providing financial institutions with resources in the following areas:
- Technology Service Provider Strategy
- Collaboration With Law Enforcement and Intelligence Agencies
- Incident Analysis
- Crisis Management
Be sure you subscribe to updated FFIEC statements and alerts by using the E-mail Alert Signup located on the website at www.ffiec.gov.
Cybersecurity threats will continue to evolve, which make it imperative that your institution develop a strategy to address current and evolving threats and risks. Make sure you take advantage of these resources to help your management and directors understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing your institution.