FDIC: What to Expect in New GuidanceRegulators Will Address Specific Cyberthreats
When the Federal Financial Institutions Examination Council releases new cybersecurity guidance, it will address specific types of cyber-attacks and threats, according to examination specialists from the Federal Deposit Insurance Corp., one of the FFIEC's regulatory agencies.
During a Nov. 20 community banking advisory committee meeting, members of the FDIC's Division of Risk said future IT examinations for banking institutions of all sizes will include reviews of specific cybersecurity initiatives, such as employee awareness and training, as well as software and operating system patching.
New guidance also is expected to address inherent risks associated with mobile banking - an area many critics said should have been included within the FFIEC's updated authentication guidance, which was released in June 2011 (see FFIEC Draft: The Bad and Good).
When this new guidance will be issued, however, is unclear. But industry analysts say they expect banking regulators to issue the guidance within the next year, as congressional pressure to address emerging cyber-attacks continues to grow.
Why Guidance Is Needed
A catalyst for new guidance on cybersecurity initiatives was the FFIEC's summer pilot program for cyber-risk assessments conducted at 500 community banks (see FFIEC to Update Cybersecurity Guidance).
As a result of those exams, banking regulators note five domains where more attention must be paid to cybersecurity, says Marlene Roberts, a senior examination specialist at the FDIC. Those five domains include:
- Risk management and oversight, which includes C-level and employee awareness of emerging cyberthreats;
- Threat intelligence and information sharing;
- Cybersecurity controls, such as network-intrusion detection systems;
- Dependency management of third-party service providers;
- Management resilience, which includes disaster recovery and business continuity planning in the wake of a cyber-incident.
"Boards and management should stay abreast of cybersecurity issues, and routinely discuss cybersecurity and maintain awareness," Roberts says. "The world has evolved to a point where institutions, no matter what size, are going to be at risk of being targeted by a cyber-attack."
The purpose of the new guidance, and a more thorough cybersecurity examination program, is to ensure that banking institutions have addressed basic cyber hygiene, she adds.
Banking institutions also should be prepared to show examiners how they are mitigating threats posed by specific attacks and vulnerabilities, such as Heartbleed, the Bash bug, distributed-denial-of-service attacks and ATM cash-outs, says Donald Saxinger, another FDIC senior examination specialist.
Institutions already have some regulatory pointers they can use as guideposts in anticipation of the guidance, Saxinger says. That's because all of the cyber-risk warnings issued by the FFIEC and its member agencies over the last 12 months will eventually be included in the new guidance.
"We have put out about warnings related to SSL [secure sockets layer] vulnerabilities with Heartbleed, for instance, which will be included in our guidance," he says.
The new guidance also will likely include recommendations for information sharing.
"In 2006, the Information Security Booklet was updated to address monitoring security threats," Saxinger says. "Today, the threats are greater. So, in April, we recommended that banks use external resources, such as the U.S. CERT [Community Emergency Response Teams] to share information. In November, we issued another press release advising that financial institutions participate in information sharing organizations like the FS-ISAC [Financial Services Information Sharing and Analysis Center]."
Information sharing also includes sharing detailed data-breach cost-analyses with law enforcement, to ensure no cyber-event falls under the radar, Roberts adds.
"If the cost of the breach reaches a certain threshold, you can file a SARs [suspicious activity report], and that helps law enforcement determine if this is an isolated incident or is one that is more widespread," she says.
How Institutions Can Prepare
Amy McHugh, an attorney and former FDIC IT examination analyst who now works as a banking consultant for CliftonLarsonAllen, says information sharing and C-level awareness are the two areas where community institutions should be focusing most of their attention.
Both of those areas were critical weak points regulators noted in their post-pilot-exam analysis, she says.
"I continue to stress the importance of financial institutions belonging to some sort of information sharing community, like the FS-ISAC, and regional or local peer groups," McHugh says. "Also, institutions should strengthen their incident response programs to include at least annual scenario testing and training."
A Shift in Regulatory Oversight?
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says consolidating and formalizing cybersecurity objectives within formal guidance should help banking institutions ensure they are investing in the right cyberthreat mitigation strategies and technologies. "Having guidance helps fraud and security teams get budgets for bigger investments," she says.
But new guidance also means more heavy-handedness from the regulators, which often slows business processes, she contends.
Javelin Strategy & Research analyst Al Pascual says regulators, by calling for the inclusion of specific threats and vulnerabilities like Shellshock, may be suggesting that they plan to be more active and current with their guidance and examination expectations going forward.
"It leads me to believe that any guidance regulators release would be on an annual, or even continually updated, basis, which is pretty unique," Pascual says. "It would be a welcomed change to a world where it takes years to formalize best practices, which, by the time they take effect, are often dated."
Shirley Inscoe, a financial fraud analyst with the consultancy Aite, says the FDIC's comments likely signal a significant shift in the way regulators address and assess cybersecurity.
"Cybercrime has become such a major problem, the regulators must focus on it more regularly going forward," she says. "There are so many new forms of malware, so many hacking incidents and so many data breaches - the environment is extremely challenging, so it deserves regular attention."