If you keep up with FFIEC news, you've probably seen something about "cybersecurity" recently. It's the latest security hot topic and rightfully so….with the convenience of technological advances and the increasingly electronic way we handle our money now, banks and their customers are a huge target for cyber threats. The FFIEC has been busy this year addressing these threats and making sure banks and other financial institutions are properly educated and are, in turn, properly addressing cyber security preparedness.
What has the FFIEC been up to?
June 2013 – formed a Cybersecurity and Critical Infrastructure Working Group to coordinate across the various regulatory agencies regarding critical infrastructure and cybersecurity issues
April 2014 – released two statements notifying financial institutions about the risks and risk management expectations surrounding ATMs/card authorization systems and Distributed Denial-of-Service (DDoS) attacks
May 2014 – provided a cybersecurity webinar for around 5,000 chief executive officers and senior managers to raise awareness about cyber threats and the importance of cybersecurity buy-in form the top. It's no longer an IT issue...
Mid - June 2014 – expected to release an interagency cybersecurity "work program"
It looks like the FFIEC is going to take a stronger stance and be more involved in education and expectations surrounding your risk management processes (including your controls and continuity practices).
The cybersecurity awareness webinar in May focused on four areas of risk management. These are key in developing a risk assessment and risk management procedures that are not just compliance documents whose primary benefit is keeping regulators off your back, but actual tools to aid in security and protection against all types of cyber threats. The key risk management pieces discussed in the FFIEC's webinar actually apply to all areas of security (not just cybersecurity):
Governance - This validates the idea that cybersecurity – and risk management in general – are not just a couple of items on your IT manager's to-do list. These are bank-wide issues, and they start at the top. Senior-level managers are needed to create a culture of security/cybersecurity awareness. This includes being aware of the threats, deciding how best to control those risk levels (through policies, appropriate training, preparedness procedures, etc.), and testing controls to ensure they're working as expected. I think you'll see the FFIEC much more interested in the culture of security at your organization, starting with the board.
Threat Intelligence – The foundation of a good security program or framework is knowing your enemy (in this case, understanding what threats you face). How else can you know what kinds of controls you need? I think in the past, most people were pretty comfortable with their threat knowledge. Those ranged from natural threats (like hurricanes and fires) to internal threats (like employee sabotage or unintentional disclosure) to external threats (unauthorized person sees a document or file). Most cybersecurity issues are grouped into just one or two external threats. That risk model has served its purpose and provided much needed information, but it's not a good model going forward. Cyber threats makeup too big a part of your threat landscape to be bundled into one. This will mean educating yourself on what types of cyber threats exist, how likely they are to occur, and how much impact could they cause. I expect the FFIEC to want to know what your institution is doing to stay up-to-date on cybersecurity knowledge.
Vendor Management – Good vendor management just helps to further control cyber risks. You're hopefully already increasing vendor oversight for your most critical vendors, but I think as your cybersecurity risk management increases, you need to make sure your expectations for your vendors' cybersecurity risk management procedures are appropriate as well. Outsourcing services to vendors doesn't let you off the hook from a risk management perspective…it just means your risk management looks a little different.
Incident Response – Any cynic (or good security professional) will tell you that it's not a matter of if you'll face a cybersecurity incident, it's a matter of when. Just as I see a shift in risk assessments from an item on your compliance checklist to the foundation of a good security program, I think your incident response procedures will need to keep up with the times (address cybersecurity specifically) and will also need to be tested. Does anyone at your institution know what your incident procedures are? If not, training your Incident Response Team and updating your procedures will be necessary in the near future.
I believe these four areas apply to all types of risk management at your institution. If you were already on top of your security program, you might just take some time to ensure that cybersecurity is addressed adequately.