In preparation for upcoming regulatory examinations, every financial institution should immediately start evaluating their cybersecurity profile. Examiners' cybersecurity assessment expectations are that executive management and boards of directors have an understanding of their banks cybersecurity strengths and weaknesses. According to those familiar with the examination pilot, cybersecurity examinations will focus on five key areas – governance, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience.
A brief description of each area as well as internal discussion questions are provided in the paragraphs below. Initial discussions should be followed by a structured FFIEC Cybersecurity Assessment.
Governance includes proactive adoption of appropriate policies, oversight, allocation of resources and risk management. The expectation is that consideration of cybersecurity related threats and risks will be commonplace in the boardroom and executive suite. Questions to consider when initially evaluating cybersecurity governance include:
- Do our Directors and Officers understand cybersecurity threats and risks as they relate to our institution and industry sector?
- Have we aligned our business and cybersecurity strategies?
- Are we appropriately allocating resources, roles and responsibilities?
- How do we evaluate emerging threats?
- Are we prepared to respond to a cyber-attack?
Threat Intelligence and Collaboration
Threat intelligence and collaboration relates to the gathering, monitoring, analyzing, and sharing information from internal and external sources on cyber threats and vulnerabilities. Institutions are expected to monitor event logs for anomalies, maintain a sufficient awareness of cybersecurity threats, and be able to process and correlate information from various sources. Questions to consider when initially evaluating threat intelligence capabilities include:
- Are we analyzing our event logs on a daily basis to identify anomalies or suspicious activities?
- How is this information shared internally?
- How are we staying abreast of cyber vulnerabilities and threats?
- Do we participate in information sharing forums (e.g. Financial Services Information Sharing and Analysis Center – FS-ISAC) and if so, what is our level of participation?
- How do our threat intelligence activities inform our risk management decision making?
Cybersecurity controls can be preventative, deterrent, detection or corrective actions implemented to decrease the likelihood of and/or mitigate the impact of a successful cyber-attack. These controls can be administrative (e.g. training and awareness programs), physical (e.g. controlling access to Data Centers), operational (e.g. patch management programs) or technical (e.g. implementing encryption). Successful design, implementation, management, assessment and audit of cybersecurity controls requires the participation of multiple departments including information technology, risk management, human resources, information security, and facilities as well as designated board of director committees.
Questions to consider when initially evaluating cybersecurity controls include:
- Who has been assigned responsibility for evaluation and implementation of cybersecurity controls?
- Does our institution utilize a multi-departmental approach?
- Do our training programs demonstrate the importance of our cybersecurity controls?
- How do we evaluate the effectiveness of our cybersecurity controls?
- Do we engage independent cyber security experts to review our control environment?
External Dependency Management
Every Internet connection is a potential entry point for an attack. Institutions must be mindful of the practices of third-party service providers, business partners and customer-facing websites. It is the responsibility of the institution to set cybersecurity standards, require third-parties to demonstrate adherence and be willing to disengage with those who do not comply. Questions to consider when initially evaluating external dependency management include:
- Do we have an inventory of all of our third-party connections and websites?
- Do we have documented cybersecurity requirements for service providers and business partners?
- Who is responsible for evaluating third-party cybersecurity controls and do they have the required expertise?
- Do our contracts include the requirement that third-parties notify the institution, within a specific time period, if they detect suspicious activity and/or are under attack?
- What is our communications protocol if we need to notify service providers and business partners of suspicious activity or cyber-attack?
Need help with your technical service providers? Check out our Service Provider Cybersecurity Assessment Program.
Cyber Incident Management and Resilience
Cyber resilience is about ensuring the sustainability and success of an organization, even when as it is being attacked. Cyber incident management involves incident detection, response, containment, mitigation, recovery, regulatory reporting, and when warranted, customer notification. Every institution, regardless of size, should have ready an incident response team, a documented incident response plan and a practiced capability. Questions to consider when initially evaluating cyber incident management and resilience include:
- How would we know if a cyber-attack was successful?
- Do we know how to respond to a cyber-attack?
- Do we have an established Incident Response Team and if so, are the right people on the Team?
- Have we identified and established relationships with external resources such as law enforcement, forensic experts, legal counsel and marketing specialists?
- Do we participate in mock incident response exercises?
Examiners will expect that executive management and boards of directors have an understanding of their financial institution cybersecurity strengths and weaknesses.
Need Help with your Cybersecurity Assessment?
Every financial institution will be expected to complete the FFIEC or an equivalent assessment. With 494 declaritive statements to review it can be a daunting and resource intensive task. Using Tyler as a resource will make your job easier. Our collaborative approach ensures that the assessment process is effective, educational, and delivers actionable outcomes. The service is available as part of our Executive Cybersecurity Readiness Program or as a standalone engagement.