FFIEC Cybersecurity Assessments Begin500 Community Institutions to Be Examined in Pilot
The Federal Financial Institutions Examination Council has started its cybersecurity assessment pilot program, which will examine more than 500 community banking institutions. Plus, the council has launched a Web page dedicated to cybersecurity information.
See Also: Rethinking Endpoint Security
The pilot program is slated to run through July, says Stephanie Collins, spokesperson for the Office of the Comptroller of the Currency.
The aim of the pilot program is to help smaller banking institutions address potential security gaps. The assessments will be conducted by state and federal regulators during regularly scheduled examinations, the FFIEC says.
"Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks," the council says.
Areas the regulators will be focusing on during the cyber-assessments include risk management and oversight; threat intelligence and collaboration; cybersecurity controls; service provider and vendor risk management; and cyber-incident management and resilience.
"Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance and examiner training," the FFIEC says.
Institutions to be examined include those with less than $10 billion in total assets. The exams will also look at limited-purpose chartered institutions, including trust banks and community development banks, as well as credit unions, Collins at the OCC says.
During a recent webinar held for approximately 5,000 CEOs and senior managers from community financial institutions, the FFIEC highlighted key focus areas for senior management and boards of directors as they assess their institutions' ability to identify and mitigate cybersecurity risks, including:
- Setting the tone from the top and building a security culture;
- Identifying, measuring, mitigating and monitoring risks;
- Developing risk management processes commensurate with the risks and complexity of the institutions;
- Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future;
- Creating a governance process to ensure ongoing awareness and accountability; and
- Ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyber-risks.
The council did not immediately respond to a request for additional information, including details of when the pilot program will end and be replaced with a permanent program.
Cybersecurity Web Page
The FFIEC's new cybersecurity Web page will serve as a central repository for relevant materials, offering links to joint statements, webinars and other information to assist financial institutions.
"While information security has been a core focus of supervision for decades, the FFIEC members are taking a number of steps to raise awareness of cybersecurity risks at financial institutions and the need to identify, assess and mitigate these risks in light of the increasing volume and sophistication of cyberthreats that pose risks to all industries in our society," the FFIEC says.
Preparing for Assessments
Industry associations and analysts say banking leaders should be preparing for more stringent oversight of cybersecurity awareness and initiatives (see: FFIEC Cyber Assessments: What to Expect).
Doug Johnson, vice president of risk management policy for the American Bankers Association, says community institutions should expect in-depth reviews of their cybersecurity awareness during the examination process. "We have not had so much focus on cyber specifically in the past," he says. "But at the end of the day, this is about risk assessment. Good cybersecurity just makes good business sense. It's a risk management exercise."
Banks and credit unions should prepare for more questions about their third-party relationships and risk-mitigation strategies for third-parties, says Shirley Inscoe, a financial fraud analyst at consultancy Aite Group.
"Institutions should conduct internal security reviews and renew efforts with third parties they deal with to ensure they identify any weak links, particularly with regards to transaction processing and any confidential consumer information that leaves the institution's firewalls," she says.