FFIEC to Update Cybersecurity GuidancePilot Assessments Find Community Banks at Risk
As a result of its recent cybersecurity assessments of more than 500 community banks, the Federal Financial Institutions Examination Council will review and update guidance to help banking institutions address changing cyber-risks.
The FFIEC, which comprises several U.S. banking regulators, says the financial infrastructure's interconnectedness and increasing reliance on Internet-based systems and servers has opened the door for new cyberthreats.
Now, the onus is on institutions to ensure they are adequately and regularly assessing their risks, investing in risk-mitigation technologies, and educating staff about the increasing role cybersecurity plays in day-to-day business practices.
In a Nov. 3 statement outlining findings from its summer cybersecurity assessment pilot program, the FFEIC notes: "As a result of the cybersecurity assessment, FFIEC members are reviewing and updating current guidance to align with changing cybersecurity risk."
As part of a summary of general observations, the FFIEC recommends banking institutions take immediate steps to:
- Engage their boards of directors and senior management to ensure they understand their institutions' inherent cybersecurity risks;
- Routinely discuss cybersecurity issues in meetings;
- Monitor and maintain sufficient awareness of threats and vulnerabilities throughout the organization;
- Establish and maintain a dynamic control environment;
- Manage connections with and to third parties; and
- Develop and test business continuity and disaster recovery plans that incorporate cyber-incident scenarios.
"As part of the national critical infrastructure, U.S financial institutions all need to give a high priority to cybersecurity, and, as we can see from the FFIEC's findings, only some have," says Tom Wills, a financial fraud expert and director of Ontrack Advisory, a consulting firm focused on payments innovation. "We know from experience that attackers will consistently find and exploit the weakest link in the security chain. So at an industry level, the weakest link - the institution with the weakest security posture - should be very difficult for adversaries to compromise. Hopefully, these findings will help to raise the bar for the industry."
The Cyber Pilot: Key Findings
In June, the FFIEC launched its cybersecurity assessment pilot program, which examined more than 500 community banking institutions. The purpose of the program: to help smaller institutions address potential security gaps (see FFIEC Cybersecurity Assessments Begin).
In its assessments, the FFIEC found that a banking institution's level of inherent cybersecurity risk - which is determined by the institution's activities and connections, notwithstanding risk-mitigating controls already in place - varies significantly from institution to institution.
Connections, as defined by the FFIEC, can refer to a variety of access points, including virtual private networks, wireless networks and bring-your-own-device policies. Institutions need to know which connections may be more vulnerable, the FFIEC stresses.
Banking institutions also need to be mindful of the risks introduced into their environments by the technologies, the FFIEC warns. ATMs, for instance, may be vulnerable to cash-out scams, and institutions offering Web-facing services may be vulnerable to distributed-denial-of-service attacks.
Role of Information Sharing
Because cyber-attacks and schemes continue to evolve, the FFIEC finds that community banks that regularly participate in cyber-intelligence sharing programs are far better prepared to anticipate and mitigate cyber-risks. These institutions also are better equipped to enhance their existing controls and identify vulnerabilities in their systems, the FFIEC notes.
In a separate statement dedicated solely to the need for more cyber-intelligence sharing, the FFIEC recommends that all U.S. banks and credit unions get involved in information-sharing forums, such as the Financial Services Information Sharing and Analysis Center, to ensure they are identifying, responding to and mitigating cybersecurity threats and vulnerabilities.
But Al Pascaul, director of fraud and security at Javelin Strategy & Research, says information sharing won't likely ever be widespread enough to help solve most community banks' cybersecurity problems.
That's because, until smaller institutions invest in advanced cyber-threat detection and prevention systems and tools, they will remain the proverbial "low-hanging fruit" for cybercrime, he says.
"The tacit endorsement of the FS-ISAC speaks to the disparity in preparedness that the FFIEC found as part of its assessments," Pascual says. "Unfortunately, while cooperation among the nation's largest institutions through organizations like the FS-ISAC has allowed them to stay abreast of and pre-emptively mitigate threats which have yet to make front-page news, there are still thousands of banks that are not taking advantage of valuable information-sharing opportunities."
As a result, cybercriminals see these smaller institutions as easy targets, Pascual contends.
"That is not to say that the FS-ISAC has been unsuccessful in attracting participation among community banks. But as they represent the bulk of U.S. institutions, it will be incumbent upon groups such as the ICBA [Independent Community Bankers of America] and the ABA [American Bankers Association] to reiterate the FFIEC's message and bring more of them into the fold."
"It makes a lot of sense for the FFIEC to recommend [financial institutions] join FS-ISAC," she says. "Collaboration and sharing threat intelligence greatly increases the chances individual banks have of mitigating risk. The criminals typically attack multiple financial institutions using the same techniques, attack servers and malware. The bad guys are definitely collaborating and cross-pollinating - and so should the good guys."
What's more, Litan says the FS-ISAC's recent deployment of Soltra Edge, an automated information-sharing application designed by the Depository Trust and Clearing Corp. to help organizations streamline threat intelligence, makes the FFIEC's recommendations easier for banking institutions to fulfill.
"They already have the infrastructure to support such sharing in privacy-respectful ways," Litan says. "I imagine the banks will get at least a 15 percent to 25 percent lift in their fraud-detection results if they are participating in FS-ISAC threat-intelligence sharing forums."
The FFIEC's assessment weighed institutions' abilities to respond to cybersecurity threats, focusing on risk management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; and cyber incident management and resilience.
The FFIEC found that while most institutions understand the need to train employees about cybersecurity risk management, banks saw stronger outcomes when their training and awareness programs were kept current and provided on a routine basis.
"Employees can be financial institutions' first line of defense for many types of attacks, particularly social engineering attacks through phishing e-mails, which attempt to acquire sensitive information by masquerading as a trustworthy entity," the FFIEC says.
Most institutions implement preventive controls to impede unauthorized access to their systems, the FFIEC determined. But it notes that controls need to be reviewed and adjusted when financial institutions change their IT environments. The FFIEC also recommends that, as a preventive control, institutions consider encrypting different types of sensitive data, including proprietary and technical information.
According to the FFIEC's summer assessment findings, many institutions have business continuity and disaster recovery plans and are able to call on third parties to provide mitigation services when incidents occur.
But when it comes to breach response, institutions should have procedures in place for notifying customers, regulators and law enforcement, especially when personally identifiable customer information may have been exposed, the FFIEC says.
"Documenting the procedures used for incident detection and response, and providing detailed metrics on cyber-incidents, will inform management and the board and supports the timely escalation and decision making in the event of cyber-attacks," the FFIEC says.
Institutions also need to ensure they're managing third-party risks by evaluating their vendors' cybersecurity controls, the FFIEC says. It's also important that institutions understand third parties' responsibilities for managing cybersecurity risk and incident response.