FFIEC Issues Cyber-Resilience GuidanceRegulators Outline Cyberthreats to Business Continuity
New business continuity guidelines from the Federal Financial Institutions Examination Council paint a more detailed picture of the cybersecurity initiatives banks and credit unions will be asked about during upcoming examinations.
These new guidelines are likely the result of the FFEIC's cybersecurity assessment program that was piloted at 500 community institutions last summer, experts say.
On Feb. 6, the FFIEC added a 16-page appendix to its Business Continuity Planning Booklet, which first was issued in March 2003 and included within the FFIEC's IT Examination Handbook.
The new appendix, "Strengthening the Resilience of Outsourced Technology Services," specifically calls out key cybersecurity risks, such as distributed denial-of-service attacks, the need for more due diligence of third parties and infrastructural interdependencies regulators have for months been telling banking leaders they need to address (see OCC: More Third-Party Risk Guidance and FDIC: What to Expect in New Guidance).
This new appendix marks the first time the term cyber-resilience - an organization's ability to withstand a cyber-attack by minimizing the disruption or impact that attack has on its ability to conduct business - has been included in the FFIEC's IT Handbook, says Stephanie Collins, a spokeswoman for the Office of the Comptroller of the Currency, the lead agency for the FFIEC.
The term was added to the handbook to illustrate the changing threats and vulnerabilities financial institutions face, she says. "However, the fundamental controls that are discussed in the appendix are not new and have been addressed in this and other booklets," Collins adds. "The OCC, along with the FFIEC member agencies, have and will continue to emphasize the importance of comprehensive resilience and security controls for financial institutions."
While more definitive guidance could be on the way, these business continuity guidelines provide a good baseline for managing third-party risks and achieving cyber-resilience, says Amy McHugh, an attorney and former FDIC examination specialist who now works as a senior IT consultant at CliftonLarsonAllen.
"This is the first step for the new cybersecurity/risk guidance," she says. "Because cybersecurity concerns surrounding third parties and banking institutions' internal defenses are noted in this appendix, it indicates that the agencies believe these are the most important elements of the CA [cyber-exam] results."
Banks and credit unions need to expand their understanding of the cybersecurity plans their vendors and other third parties have in place, McHugh stresses. "I see this as a clarification or formalization of expectations for business continuity and disaster recovery, based on the 2014 CA pilot," she adds.
In its new addition to its business continuity guidance, the FFIEC notes five cyber-resilience risks banking institutions and their service providers need to address in their business-continuity plans:
- Malware attacks;
- Insider threats;
- Data or systems destruction and corruption;
- DDoS and other communications disruptions; and
- Attacks that are waged simultaneously against institutions and their service providers.
McHugh says banks and credit unions should be bracing for a more expanded IT examination process as a result of these new cyber-resilience guidelines.
Financial fraud expert Shirley Inscoe, an analyst at the consultancy Aite, says the new guidance "provides broad coverage of the steps FIs [financial institutions] must take to be adequately prepared in the existing threat environment."
In fact, institutions that recently underwent a standard IT exam could be called upon by their examiners for second exam that focuses specifically on cyber-resilience expectations, she says. All future exams, she predicts, will address cyber-resilience.
Fighting Cyber Risks
To address the increasing risks posed by malware, the FFIEC recommends institutions and service providers implement layered anti-malware strategies, such as anomaly detection, system behavior monitoring and employee security awareness training. Strong passwords, appropriately controlled mobile devices, controls over access to social networks, hardened software and operating systems, and controlled and monitored Internet access also are recommended.
To mitigate insider threats, institutions should regularly screen employees and ensure that duties are segregated, FFIEC advises.
Data replication may be an effective way to recover data that has been corrupted or destroyed, the FFIEC notes. But because backup systems also may be vulnerable to attack, institutions and their third parties should consider adding so-called air-gapped data backups - data that is backed up and stored on segregated computers, systems or networks that have no physical contact with internal systems and networks.
"Some financial institutions have deployed cloud-based disaster recovery services as part of their resilience program," the FFIEC states. "These services have unique data integrity risks and, therefore, financial institution management should assess services before implementation and reassess them periodically after deployment, as the technology, capability and threats change."
Ensuring that data is backed up in off-site locations also can address risks posed by attacks that are waged simultaneously against an institution and its service provider, the FFIEC points out.
Simultaneous DDoS attacks are a concern as well, because they can impact telecommunications and electronic messaging, the FFIEC states. As a result, banks and credit unions should consider working with independent, redundant and alternative communications providers.
And every institution should set up plans for third-party forensics investigations and incident management services in advance of a cyber-attack, the FFIEC notes.
"Financial institutions should immediately review this appendix and perform a risk assessment to determine where gaps exist in their current processes," Inscoe says. "A strategic plan and timeline should be developed to address any gaps."
McHugh says banks and credit unions should review the FFIEC's preliminary findings and recommendations from the summer pilot cyber-exam program and begin documenting how their current information security programs address those recommendations. She recently hosted a webinar that highlights some of these findings and recommendations.
Jeff Man, an information security expert with Tenable Network Security, says institutions have to be careful they aren't tempted to make their reviews for cyber-resilience a check-box compliance exercise. Ensuring the cyber-resilience of their internal networks, as well as the networks of their third-party service providers and vendors, requires going beyond simply implementing recommendations in the new guidelines.
Man says banks and credit unions should reach out to their existing and new service providers and question them about how well-prepared they are for examinations focused on cyber-resilience.
"That will likely start quite a few fire drills, but the outcomes, hopefully, will be positive, by increasing security measures, accurate documentation of the processes surrounding those measures, and recognition or documentation of 'who's doing what' - basically documenting the roles and responsibilities between the FIs and the TSPs for the various aspects of security," he says.