On January16, the FDIC and the OCC announced (FDIC FIL-3-2020, OCC Bulletin 2020-5) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test incident response and business continuity plans. It also sets out best practices in these areas for supervised financial institutions.

The bulletin lists six “key controls” including:

  • Response, resilience and recovery capabilities. Maintain system backups and segment data to prevent spread of malicious activity across the network and to increase recovery capabilities. Incident and business resilience plans should set out cyber attack response and business continuity procedures and a data backup program should be set up and regularly tested. Cyber insurance coverage may further mitigate cyber risk exposure.
  • Identity and access management. Implement identity and access management controls to combat phishing attacks and prevent theft of login credentials. Incorporate risk-based authentication, limit user permissions, and continually monitor user accounts.
  • Network configuration and system hardening. Configure networks with appropriate security settings that are regularly updated. Update anti-malware and routinely test network technology for vulnerabilities.
  • Employee training. Provide continuous training to keep cybersecurity program employees abreast of new cyber threats and evolving social engineering tactics.
  • Security tools and monitoring. Maintain competent cybersecurity staff or service providers to monitor for the most current “threat and vulnerability information,” regularly review audit logs, and establish and test ability to “detect and respond to attacks.”
  • Data protection. Encrypt “sensitive and critical data,” which should also be accurately classified to ensure ease in identification.