On November 3, 2014, the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body that prescribes principles and standards for the federal examination of financial institutions, released a set of general observations drawn from a cybersecurity examination work program (“Cybersecurity Assessment”) conducted at over 500 community financial institutions during the summer of 2014. The FFIEC’s report relates to both cybersecurity inherent risk and risk management practices and preparedness and includes themes and questions for management of financial institutions to consider concerning cybersecurity and preparedness.
With respect to cybersecurity inherent risk, or the level of risk posed by a company’s activities and connections, the Cybersecurity Assessment addresses three risk areas: connection types, products and services offered and technologies used. Regarding connection types, such as virtual private networks and wireless networks, the report notes that “[b]ecause each connection represents a potential entry point for attacks, it is important for management to consider whether the financial institution needs to maintain the types and frequency of all of its connections and which connections may be more vulnerable.” Concerning products and services, the Cybersecurity Assessment states that “[b]ecause cyber attackers develop techniques to target specific products and services, each product and service may introduce specialized cybersecurity risks, … [and] [u]nderstanding the threats and techniques attackers use for each product and service helps management to identify, assess, and mitigate the financial institution’s specific risks.” Regarding technologies, the assessment points out that the technologies used by companies introduce possible vulnerabilities. As an example, the FFIEC noted financial institutions offering ATM services that may be vulnerable to “ATM cash-out scams.”
With respect to cybersecurity preparedness, the Cybersecurity Assessment reviewed five high-level topics: risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management and cyber incident management and resilience. Regarding management and oversight, the report notes that “[r]outinely discussing cybersecurity issues in board and senior management meetings will help the financial institution set the tone from the top and build a security culture” and further states that a company’s employees “can be a financial institution’s first line of defense for many types of attacks.” Concerning threat intelligence, the report states that “[f]inancial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities so they may evaluate risk and respond accordingly.” For cybersecurity controls, the assessment points out that in light of “the interconnectedness financial institutions’ IT systems and the existence of widespread vulnerabilities, management can have a more complete view of their financial institutions’ risk by reviewing reports on the corrective controls in place across their critical systems and those of their third parties.” The report goes on to state that, regarding external dependency management, many companies “have processes to manage third-party relationships and document their connections” and, prior to finalizing a contract, “it is important for management to consider the risks of each connection and evaluate the third party’s cybersecurity controls.” Finally, with respect to cyber incidents, the Cybersecurity Assessment states that financial institutions “should have procedures for notifying customers, regulators, and law enforcement when incidents affect personally identifiable customer information.”
In sum, the report highlights the critical role of IT in today’s business environment and states that the dependence on IT “reinforces the need for engagement by the board of directors and senior management, including understanding the institution’s cybersecurity inherent risk; routinely discussing cybersecurity issues in meetings; monitoring and maintaining sufficient awareness of threats and vulnerabilities; establishing and maintaining a dynamic control environment; managing connections to third parties; and developing and testing business continuity and disaster recovery plans that incorporate cyber incident scenarios.”
Finally, the FFIEC recommended that, given the evolving cybersecurity risk in the financial sector, financial institutions participate in the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), a private-sector information-sharing forum founded by financial industry institutions as a resource for cyber and physical threat intelligence analysis and sharing.