Why it matters
Financial institutions of all sizes need to share cyberthreat information with each other, the Federal Financial Institutions Examination Council (FFIEC) urged based upon an assessment performed of the preparedness of various community institutions. “Recent cyber attacks and widely reported pervasive vulnerabilities highlight the rapidly changing cyber risk landscape,” the FFIEC stated. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyber attacks on their systems.” The call to action included a statement from the FFIEC members (the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee) encouraging information sharing as well as a report on general observations gleaned from the nationwide assessment.
The FFIEC’s latest statement reflects regulators’ continued and increasing focus on the importance of cybersecurity to risk mitigation, including communications and information sharing from both within and among institutions in order to mitigate risks.
Recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), the FFIEC released a statement on information sharing emphasizing that such forums are “an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.”
Recent attacks have highlighted the “rapidly changing” cyberrisk landscape, the FFIEC said, and those institutions that participate in information sharing “have improved their ability to identify attack tactics and successfully mitigate cyber attacks on their systems” and have gained “deeper insight” into their specific vulnerabilities and how to enhance their controls.
To mitigate risk, the FFIEC said financial institutions are expected to “monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly.” Policies and procedures should be in place to evaluate risk specific to the institution, and the use of the FS-ISAC and other resources can enhance risk management.
In a separate document, the FFIEC released general observations based on cybersecurity assessments conducted during the summer of 2014 at more than 500 community institutions.
Risk varies significantly across financial institutions, the report noted, depending on the type, volume, and complexity of operational considerations, including connection types, products and services offered, and technologies used. For example, access points and connection types like wireless networks or BYOD (bring your own device) raise questions for banks – Do we need all these connections? How are we managing these connections in light of constantly changing cyberthreats? And how do all of the connections and technologies collectively affect the institution’s risk?
Each product and service introduces separate risks, as do different technologies like ATMs (presenting concerns about cash-out scams) and Internet services (which may be vulnerable to distributed denial-of-service, or DDoS attacks).
Cybersecurity preparedness is essential for financial institutions, the FFIEC said, including consideration of issues like the process for ensuring ongoing and routine discussions at the senior management and board level about cyberthreats and determining accountability for managing cyberrisk. In addition, “the outcome and benefits improve when training and awareness programs are kept current and are provided on a routine basis” for all employees, the report noted.
Again referencing collaboration, the report stressed that “[p]articipating in information sharing forums (e.g. FS-ISAC) is an important element of a financial institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.” Keeping on top of media reports about potential cyber events and maintaining event logs also provide valuable threat intelligence.
Financial institutions can establish a range of cybersecurity controls from preventative to detective to corrective, the FFIEC said, and should include external dependency management considerations like third-party service providers or business partners. “Before executing a contract, it is important for management to consider the risks of each connection and evaluate the third party’s cybersecurity controls,” the report stated.
If a cyberattack occurs, financial institutions should have in place notification procedures (for customers, regulators, and law enforcement) and processes to provide documentation. Testing the plans “across business functions and with third parties will help financial institutions identify and manage gaps before cyber attacks occur,” the FFIEC wrote.
To read the FFIEC’s statement on sharing, click here.
To read the FFIEC’s cybersecurity assessment, click here.