Articles

Not long ago, the Federal Financial Institutions Examination Council (FFIEC) announced and began its examination pilot program about cybersecurity activities, reviewing over 500 community financial institutions as part of its summer examination cycle. The FFIEC says the purpose of this pilot program is to "assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks."

So, why the need for more guidance? Shouldn't our information security program address cyber-attacks? Well, it could, but do you know of many institutions that are fully prepared to address a cybersecurity incident, regardless of what the incident may be? Probably not. Regardless of desire for security, we are typically two steps behind attackers because they are the inventors of attacks. The new focus on cybersecurity is greatly directed toward improving the financial institution culture regarding cybersecurity, making it into a culture of corporate awareness and expectancy. You may notice that the FFIEC has emphasized a top-down structure, starting with the education of CEOs, through their informational webinar back in May. CEOs were encouraged to be bigger players in the cybersecurity sphere, due to the fact that every employee should be sensitive to the realities of cybersecurity. Admittance is the first step to recovery.

If you keep up with FFIEC news, you've probably seen something about "cybersecurity" recently. It's the latest security hot topic and rightfully so….with the convenience of technological advances and the increasingly electronic way we handle our money now, banks and their customers are a huge target for cyber threats. The FFIEC has been busy this year addressing these threats and making sure banks and other financial institutions are properly educated and are, in turn, properly addressing cyber security preparedness.

What has the FFIEC been up to?

June 2013 – formed a Cybersecurity and Critical Infrastructure Working Group to coordinate across the various regulatory agencies regarding critical infrastructure and cybersecurity issues

The previous "year of the security breach" is behind us, and now we find ourselves treading water through a year that so far has been defined by significant vulnerabilities and exposures. How do we proactively protect against these newly discovered threats? Luckily, or unluckily depending on how you want to look at it, due to the nature and severity of some of the recent security breaches we have been given plenty of data to analyze. With each new story, I caught myself repeating some variation of "Why did they allow…? That goes against everything you learn in security 101!" Let's just call this our "opportunity to improve."

Regulatory agencies have been busy this year! This seems to be the year of FILs, OCC Bulletins, and FFIEC documents. Some that came out earlier than that are also seeing an increase in attention. Make sure these areas of information security are addressed in your program (or are at least on your radar) before your next exam:

Of course, you'll have other security controls and documentation to answer for on your next exam, but I wanted to let you know some of the new things we've noticed examiners wanting to see this year. Be prepared to answer them and good luck!

Many financial institutions have become very reliant upon service providers for a myriad of banking operations, such as core processing, remote deposit capture, online banking, card processing, or data backups to a cloud provider. Financial institutions depend on these organizations to accurately process transactions and securely store customer nonpublic data in accordance with reasonable internal controls.

A common method for service providers to demonstrate a controlled environment is to issue a SSAE 16 report, which is produced by an independent audit firm. The collection and review of SSAE 16s usually falls to one of many positions at a financial institution; maybe someone in Compliance, IT, Internal Audit or maybe even Finance. Unfortunately, it frequently falls to an employee who wears multiple hats (especially at small institutions), and has little time to deal with this task. Financial institutions are typically aware they are supposed to collect these documents, but sometimes don't understand how to address reviews of these documents. They know the reviews are important, but the length, number and complexity of these documents sometimes reserves them for a dusty shelf, where they may not get the necessary consideration.

In December 2013, the FFIEC issued final guidance on Social Media entitled "Social Media: Consumer Compliance Risk Management Guidance." The purpose of the guidance was to help financial institutions better understand the risks of social media and provide some expectations for managing those risks. The FFIEC points out that "the guidance does not impose any new requirements on financial institutions;" however, the guidance does provide considerations financial institutions may use in crafting a risk management program.

Under Section III, titled "Compliance Risk Management Expectations for Social Media," of the final guidance, it states: "A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media." Section III goes on to define seven components that should be included in a bank's social media risk management program. Let's take a look at these components.

I know compliance requirements can feel like a burden…and doing compliance solely for the sake of compliance can really feel like a burden. Taking a step back from the checklists and trying to see the spirit of the law can help to keep you from being overwhelmed. It can also help you clean up the parts of your information security program that may have gotten out of hand over the years. Vendor management is one area that can get overwhelming and unnecessarily complex when you try to check things off without truly understanding the process. Vendor management also seems to be on many examiners' radars this year, so now is a great time to clean up your vendor management program and make it work for you instead of the other way around.

Recently we have seen a focus on vendor management during exams. Regulators have been concerned the quality of third-party risk management practices may not be keeping pace with the increasing level of risk and complexity of these relationships. As a result of this concern and new focus, the OCC released a Bulletin titled "Third-Party Relationships: Risk Management Guidance" on October 30, 2013. The bulletin provides guidance for assessing and managing risks associated with third-party relationships.

Risk Management Life Cycle

The guidance describes a Risk Management Life Cycle as a way to effectively manage third-party risk, see figure 1. This continuous life cycle process incorporates the following phases and practices:

Planning

Your Business Continuity Plan (BCP) is your life raft for both expected and unexpected disasters. It is your road map to recovery. Illustrations aside, it's very important, and your employees need to be able to read it. I've heard it said that even an unschooled person should be able to pick up a BCP and get the bank restored properly. While it is important to have a well-thought-out BCP, it's not likely you will round up a team of unschooled persons to read and follow your BCP. The first reason being: most unschooled people can't read. It is more likely that restoration will be performed by you and your employees; better yet, employees who have been hand-picked as capable workers. I make note of this anecdote because banks often design business continuity plans with every single step and click explained for every facet of the organization. As important as it is for your BCP to be thorough, it's just as important for it to be user friendly.