New FFIEC Cyber Exams: What to ExpectEarly Feedback, Tips from Institutions in Pilot Program
What can banking/security leaders expect when examiners come calling to conduct cybersecurity risk assessments as part of the Federal Financial Institutions Examination Council's new pilot program? (see FFIEC Cybersecurity Assessments Begin).
See Also: A CISO's Guide to Communicating Risk
Direct feedback is hard to find. Most institutions have yet to undergo these exams, and the ones that have are reluctant to say much.
But banking and security experts say some details have emerged from recent exams that can help the selected banks and credit unions prepare for their own. These insights come from feedback experts have received from the institutions they advise or work with on cybersecurity initiatives.
Here is what the experts say about the exams and how institutions should prepare for them.
What to Expect
More than 500 community banks and credit unions are slated to undergo these new regulatory reviews by the end of July. But exactly what federal banking examiners expect from those institutions is not crystal clear.
Regulatory bodies such as the Office of the Comptroller of the Currency, and banking bodies such as the Financial Services Sector Coordinating Council and the Financial Services Roundtable, suggest that C-suite executives and boards of directors will be called upon by regulators to showcase their cybersecurity knowledge.
They also suggest that cyber-intelligence and information sharing - areas where community banks have historically struggled - will be key going forward.
James Harris, an IT security auditor for Austin, Texas-based Compliance Advisory Services LLC, says regulators are in the process of fact-finding. From what his banking clients tell him, examiners seem more interested in having a dialogue than going over a checklist.
Based on a conversation with one examined banking client, Harris says, "The examiner would not let the banker see the actual questions. The questions had to be verbally read to the banker and he had to give verbal responses - most of which were 'yes' or 'no' responses."
That's a positive sign, says Mark Clancy, director at The Depository Trust & Clearing Corp., a financial services company that provides clearing and settlement services. Clancy, who spoke in June at a Financial Services Roundtable event about cybersecurity concerns posed by over-assessment, says institutions need to inform banking regulators about what their real cyber concerns and risks are.
"This dialogue allows them to put some context around the specific threats they face," he says. "That is the right way to approach it, because the threats a small bank may face are not going to be the same as the threats a large bank faces. Additionally, with the cyber risk assessments, if I'm a small bank, I'm entirely dependent on service providers, and I think the dialogue between banks and supervisors is a step in the right direction."
The challenge for smaller institutions, Clancy says, is that they are expected to provide the same services that the larger banks provide. To do that, they have to lean on third parties and often outsource services, which poses inherent cybersecurity risks. This is a challenge that is unique to smaller institutions, and regulators need to appreciate how they can help community banks and credit unions address that challenge.
Attorney Amy McHugh, a former examiner with the Federal Deposit Insurance Corp. who now works as an IT consultant for professional services firm CliftonLarsonAllen, says information sharing and participation in the Financial Services Information Sharing and Analysis Center's Cyber Attack Against Payment Processes exercise are two areas regulators have focused on in the examinations conducted so far with her clients.
"It looks like additional emphasis will be placed on how the bank is monitoring and sharing information about current cyberthreats, and third-party access to internal network resources," likely a reaction to the Target Corp. breach, McHugh says.
Joram Borenstein, a cyber-fraud expert and vice president at NICE Actimize, which provides compliance services to banks and credit unions, says institutions just need to appreciate that the cyber landscape has changed.
"Banks are sharing information and trends informally, and have been doing so for years. What is different now is that the sharing communities have become larger, and the government is also supporting this sharing in a much more robust manner than ever before," he says. "Institutions should assume cybersecurity will become an increasingly regulated area to be handled in the same way other areas of compliance are handled."
How to Prepare
For institutions still awaiting their cybersecurity assessments, the experts have a few words of advice. Topping the list:
- Ensure your top-level executives are up to speed on emerging threats.
- Be well-versed in existing cybersecurity recommendations, such as those outlined by the National Institute of Standards and Technology in its cybersecurity framework (see How Will NIST Framework Affect Banks?).
- Show your involvement in information sharing groups, such as the FS-ISAC, and participation in CAAPP exercises.
- Understand and be able to articulate how your institution assesses third-party risks, as well as how the compromise of a third party could impact your institution's network.
On July 1, CliftonLarsonAllen published a checklist for banks and credit unions that are among the 500 to be assessed. Overall, CLA recommends banking institutions set a "tone at the top" for building and maintaining a security culture, McHugh says.
"The process shifts more of the audit emphasis on the security of IT rather than the technical aspects of IT," McHugh says. "It also shifts the responsibility to senior and executive-level management.Ë®