The FDIC and OCC reminded financial institutions of the importance of implementing sound cybersecurity risk management principles that include both (i) preventative controls and (ii) preparation for worst-case scenarios.

In a joint statement, the banking regulators urged financial institutions to include in their cybersecurity controls:

  • response, resilience and recovery capabilities by (i) maintaining comprehensive resilience plans in order to respond and recover successfully from destructive cyber-attacks and (ii) establishing comprehensive system and data backup strategies;
  • identity and access management to prevent phishing attacks that could compromise login credentials;
  • network configuration and system hardening that (i) only provides access to approved ports, protocols and other services and (ii) are continually monitored;
  • employee training on recognizing cyber threats, phishing and suspicious links, in addition to measuring the success of the training programs;
  • security tools and monitoring procedures, such as (i) hiring qualified cybersecurity, (ii) reviewing system and network audit logs and (iii) implementing a sufficient internal and external testing programs to assess the firm's ability to detect cyber threats; and
  • data protection systems to implement (i) a data classification program and (ii) encryption and tokenization of confidential data.