Earlier this month, the Federal Deposit Insurance Corporation’s (FDIC) Division of Risk Management Supervision released “A Framework for Cybersecurity” in its Winter 2015 issue of Supervisory Insights. The FDIC article outlines the current and evolving cyber threat landscape and identifies the challenges presented by these threats as “critical” to financial institutions. The article describes regulatory steps the FDIC has taken and also how banks should incorporate cybersecurity into their overall risk management framework. The article is helpful for understanding the FDIC’s cybersecurity focus and the issues upon which it expects banks subject to its supervision to focus.
The FDIC article emphasizes that banks are required to have information security programs grounded in the Gramm Leach Bliley Act’s Interagency Guidelines Establishing Information Security Standards (Guidelines) and embraces banks’ use of the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) to enhance their GLBA information security programs to account for evolving cyber risks. In particular, the FDIC suggests banks incorporate NIST framework elements to regularly review and update their programs. (For prior Hogan Lovells analysis of the NIST Framework, see here and here.)
The FDIC article focuses on banks addressing four “critical” components of their information security programs: corporate governance, threat intelligence, security awareness training, and patch management. A summary of the suggestions and steps for implementation follows below.
1. Corporate Governance
The FDIC cautions banks to approach cyber risk as they do any other business risk: as an enterprise-wide initiative. To do so, the FDIC noted it is “critical” that an institution’s executive management and Board of Directors develop a corporate culture that prioritizes cybersecurity and oversee relevant programs.
2. Threat Intelligence
The FDIC article also notes that to be able to evaluate and respond to risks, it is important to understand the threats. As such, financial institutions should have programs for gathering, analyzing, understanding, and sharing both public and private information about vulnerabilities and threats. The FDIC encourages institutions to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), a public-private information sharing forum that regularly delivers threat updates to banks. Also among the resources cited in developing a threat intelligence program was the U.S. Computer Emergency Readiness Team (US-CERT) of the Department of Homeland Security, which offers publications, educational materials, and assistance with cyber threats
3. Security Awareness Training
The FDIC states that banks should make cybersecurity awareness training available to all bank personnel, contractors, customers, merchants, third parties, and any other entities that may serve as access points to the bank’s systems, with training mandatory for bank contractors and personnel. The FDIC further notes that while security awareness training programs should highlight the importance of guarding against cyber risk across all business lines and functions, the training should also be tailored to individual roles and responsibilities.
4. Patch Management
Also critical to cybersecurity efforts is the existence of written and implemented policies and procedures to timely identify, prioritize, test, and apply patches. Such policies and procedures should require periodic reporting on the status of the program, including reports summarizing the identification and installation of available patches. And, the full patch management program should be subject to internal review and independent audit.
The FDIC suggests that banks approach the task of patch management by first creating an asset inventory, capturing all software and firmware, and noting which systems require patch management oversight. An effective patch management program should also maintain an awareness of products reaching or at end-of-life or that are no longer supported by a vendor, implement strategies to mitigate any risk associated with the use of unsupported and obsolete products, and establish strategies to migrate those systems. In addition, an effective patch management program should draw upon potential vulnerabilities and threats received in the organization’s threat intelligence cybersecurity efforts.
To aid banks in enhancing their cybersecurity efforts, the FDIC points to a number of regulatory resources, available here.