FFIEC: Boards Need Cyber TrainingC-Level Execs, Boards Don't Understand Emerging Threats
Amy McHugh, an attorney and former FDIC IT examination analyst who now works as a banking consultant for CliftonLarsonAllen, says federal banking regulators will soon scrutinize C-level executives and boards of directors at community banks and credit unions to gauge their cybersecurity awareness.
This news comes in the wake of the Federal Financial Institutions Examination Council's just-completed pilot program for cyber-risk assessments of community banks, which revealed a lack of understanding of emerging cyberthreats among many leading banking institution executives, McHugh explains during this interview with Information Security Media Group.
McHugh says banks and credit unions should be reviewing the FFIEC's latest recommendations, issued as a result of those cyber-risk exams, to identify areas where they need to make improvements (see FFIEC to Update Cybersecurity Guidance).
In addition to the need for more board-level involvement in cybersecurity, the banking regulators also noted the need for improved cyberthreat information sharing and disaster-recovery planning, McHugh notes.
Educate the Board
The consultant believes institutions would be well served to hone in board and C-level executive cybersecurity training right away. She speculates, based on examine questions she's reviewed and discussions she's had with community bank and credit union clients, that a lack of cybersecurity knowledge among top banking executives likely raised red flags for regulators during the pilot exams over the summer.
"I do think there should be some sort of internal resource that can help the board," McHugh says. "And I believe this is going to be an area of emphasis for regulators going forward."
While boards of directors and CEOs may not be asked why a certain type of malware can penetrate a firewall, McHugh notes, they are likely to be asked during FFIEC IT and vendor-management exams what their institutions are doing to address threats known to penetrate firewalls.
When it issues updated cybersecurity guidance in the months ahead, the FFIEC is going to expect boards to be knowledgeable about cyberthreats by a certain date, McHugh predicts. "So institutions may want to think about board training, and get that in motion now."
Banks and credit unions also should start getting involved in information-sharing forums, such as the Financial Services Information Sharing and Analysis Center, which the FFIEC specifically recommends in its Nov. 3 analysis of the pilot assessments.
"A lot of community banks and credit unions didn't realize the FS-ISAC existed before this process," McHugh says. "I think the lack of information sharing was a large part of why the FFIEC initiated this pilot program."
McHugh says banks and credit unions should be preparing for some sort of FFIEC updated cybersecurity guidance to take effect next year. "I recommend that financial institutions review their programs now and start implementing some of these recommendations from the FFIEC as soon as they can," she says.
During this interview, McHugh also discusses:
- Why cyber-intelligence sharing is being stressed by banking regulators;
- Why community banks are seen as low-hanging fruit for cybercrime; and
- How the FFIEC is expected to address cybersecurity risk assessments.
McHugh, an attorney and Certified Information Systems Auditor, is a former IT examination analyst for the Federal Deposit Insurance Corp. who now works as a banking institution adviser for CliftonLarsonAllen, a professional services firm. Her areas of specialization include Gramm-Leach-Bliley Act compliance; information systems review; risk assessments and policy development; information security program development and implementation; vendor management; cloud computing; and corporate account takeover fraud.