• Cybersecurity Assessment Observations
  • November 17, 2014 | Author: Craig N. Landrum
  • Law Firm: Jones Walker LLP - Jackson Office
  • In June 2014, the Federal Financial Institutions Examination Council ("FFIEC") launched a pilot cybersecurity testing program utilizing upcoming state and federal regulatory examinations at more than 500 community financial institutions. The purpose of the effort was to assess how these financial institutions manage cybersecurity and their ability to mitigate cyber risks. On November 3, the FFIEC released its Cybersecurity Assessment Observations (the "Observations") on the foregoing issues with a recommendation that financial institutions participate in the Financial Services Information Sharing and Analysis Center ("FS-ISAC"). The Observations detail themes from the assessments and provide questions that management, especially boards of directors, should consider when assessing their institution's cybersecurity preparedness.

    When assessing cybersecurity preparedness, it is important to understand the financial institution's inherent risk to cybersecurity threats and vulnerabilities. In evaluating cybersecurity inherent risk, consideration must be given to access points and connection types, products and services offered as well as technologies used for each system or application as the entryway for an attack.

    The cybersecurity assessment also reviewed financial institutions' current practices and overall preparedness, focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber instance management and resilience. The Observations emphasize that strong governance includes clearly defined roles and responsibilities that assign accountability to identify, assess, and manage cybersecurity risks across the financial institution, with the tone set from the top to build a security culture.

    To monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities, financial institutions should participate in information sharing forums such as FS-ISAC, a non-profit, information sharing forum established by financial institutions. An important element of the financial institution's risk management processes is its ability to identify, respond to, and mitigate cybersecurity threats and incidents. Financial institutions are strongly encouraged by the members of FFIEC to join FS-ISAC for this resource.

    The Observations conclude by emphasizing the need for engagement by the board of directors and senior management, including understanding the institution's cybersecurity inherent risks, routinely discussing cybersecurity issues in meetings, and monitoring and maintaining sufficient awareness of threats and vulnerabilities. This will allow a bank to establish a dynamic control environment to manage and cover cyber incident risk scenarios.

    Due to the increasing sophistication of cyber threats, financial institutions can expect additional scrutiny during upcoming exams of management and board involvement in assessing and managing cybersecurity risks. Additionally financial institutions can expect additional guidance from the FFIEC to align with the changing cybersecurity risk environment.