On November 3, 2014, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment General Observations of more than 500 financial institutions and their preparedness to mitigate cyber risks. The Council is a formal interagency body of the US government made up of five banking regulators: the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB).

The Council found that the level of cybersecurity risk varied across the financial institutions and recommended that all regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a non-profit, information sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.

The Council’s Observations provide a framework for assessing your institution’s cybersecurity risk and preparedness. The Council’s Observations assess risk from three perspectives:

  • Connection Types (i.e., how people connect to the company’s networks);
  • Products and Services (i.e., what risks are associated with the products and services offered); and
  • Technology Used (i.e., what technologies are used to access the products and services).

The Council’s Observations assess preparedness from five perspectives:

  • Risk management and oversight (i.e., how are allocation of resources, training and employee awareness managed);
  • Threat intelligence and collaboration (i.e., how do we identify, track and predict cyber attacks);
  • Cybersecurity controls (i.e., what is the process for implementing controls to prevent, detect and correct cyber issues);
  • External dependency management (i.e., how are you managing connections to third parties); and
  • Cyber incident management and resilience (i.e., how will you respond, mitigate and report a cyber incident).

CEOs & Directors—Questions to Consider

The Council’s Observations further provide a series of specific questions that CEOs and boards can use in assessing their cybersecurity risks and preparedness. Those questions include:

Cybersecurity Inherent Risk Questions to Consider

  • What types of connections does my financial institution have?
  • How are we managing these connections in light of the rapidly evolving threat and vulnerability landscape?
  • Do we need all of our connections? Would reducing the types and frequency of connections improve our risk management?
  • How do we evaluate evolving cyber threats and vulnerabilities in our risk assessment process for the technologies we use and the products and services we offer?
  • How do our connections, products and services offered, and technologies used collectively affect our financial institution’s overall risk?

Cybersecurity Preparedness Questions to Consider

  • What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our financial institution?
  • How is accountability determined for managing cyber risks across our financial institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?
  • What is the process for ensuring ongoing employee awareness and effective response to cyber risks?
  • What reports are provided to our board on cyber events and trends?
  • What is the process for determining and implementing preventive, detective, and corrective controls on our financial institution’s network?
  • Does the process call for a review and update of controls when our financial institution changes its IT environment?
  • What is our financial institution’s process for classifying data and determining appropriate controls based on risk?
  • What is our process for ensuring that risks identified through our detective controls are remediated?
  • How is our financial institution connecting to third parties and ensuring they are managing their cybersecurity controls?
  • What are our third parties’ responsibilities during a cyber attack? How are these outlined in incident response plans?
  • In the event of a cyber attack, how will our financial institution respond internally and with customers, third parties, regulators, and law enforcement?
  • How are cyber incident scenarios incorporated in our financial institution’s business continuity and disaster recovery plans? Have these plans been tested?

Rapidly evolving cybersecurity risks reinforce the need for all institutions to be aware of and prepared for a cyber attack. We encourage our readers to contact experienced counsel to determine whether or not your company has appropriate policies and procedures in place.