Earlier this year, the Federal Financial Institutions Examiner’s Council (FFIEC) announced that their 2015 cybersecurity priority is to enhance regulator and financial institution assessment and examination capabilities, including updating the IT Examination Handbook, enhancing the technology service provider (TSP) examinations, and providing financial institutions with a self-assessment tool.
#1: Update the IT Examination Handbook
FFIEC is updating the Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities. Their focus will be on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience. The current IT handbook has not been updated for a few years. The proposed revision (or supplement) will bring it up-to-date, and reflect what is currently going on in the cyber environment. This is particularly important because it will provide institutions with insight into what future examinations are going to focus on, and help them better prepare.
For updates, visit the FFIEC InfoBase at http://ithandbook.ffiec.gov/.
#2: Focus on Technology Service Providers
Technology service providers (TSPs) are subject to regulatory examinations. To date, examiners have not focused on cyber threat or response capabilities; this is about to change. Examiners will be assessing how TSPs prepare for cyber threats, how they detect and respond to them, and how are they communicate and interact with financial institutions during an incident.
3: Publish and Support a Cybersecurity Financial Institution Assessment Tool
The FFIEC has developed a new Cybersecurity Assessment Tool to assist financial institutions in evaluating their cybersecurity risk and incident management capabilities. The tool was released in June 2015, and contains two parts. The first part is the Inherent Risk Profile which describes activities across risk categories and defines the level of inherent risk from least to most. Cybersecurity Maturity is the second part, which allows management to measure the institution’s level of risk and corresponding controls.
More information on the FFIEC’s Cybersecurity Assessment Tool can be found at www.ffiec.gov/cyberassessmenttool.htm.
Service Provider Cybersecurity Review Program Now Available!
Proper oversight of your third-party service providers, including Technology Service Providers (TSPs), is an essential element of your institution’s cyber resilience strategy. You can outsource the function, but never the responsibility. Tyler Cybersecurity’s Service Provider Cybersecurity Assessment Program supports the management of all your third-party service providers and ensures you are in compliance.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net.