The FDIC and OCC reminded financial institutions of the importance of implementing sound cybersecurity risk management principles that include both (i) preventative controls and (ii) preparation for worst-case scenarios.
In a joint statement, the banking regulators urged financial institutions to include in their cybersecurity controls:
- response, resilience and recovery capabilities by (i) maintaining comprehensive resilience plans in order to respond and recover successfully from destructive cyber-attacks and (ii) establishing comprehensive system and data backup strategies;
- identity and access management to prevent phishing attacks that could compromise login credentials;
- network configuration and system hardening that (i) only provides access to approved ports, protocols and other services and (ii) are continually monitored;
- employee training on recognizing cyber threats, phishing and suspicious links, in addition to measuring the success of the training programs;
- security tools and monitoring procedures, such as (i) hiring qualified cybersecurity, (ii) reviewing system and network audit logs and (iii) implementing a sufficient internal and external testing programs to assess the firm's ability to detect cyber threats; and
- data protection systems to implement (i) a data classification program and (ii) encryption and tokenization of confidential data.