On November 3, 2014, the Federal Financial Institutions Examination Council (“FFIEC”) issued a document titled “FFIEC Cybersecurity Assessment General Observations” (“Observations”), which the FFIEC gleaned from its recent cybersecurity assessments of regulated financial agencies.4 The Observations included a recommendation for financial institutions to join the Financial Services Information Sharing and Analysis Center (“FS-ISAC”). The assessment was a pilot of the FFIEC’s cybersecurity assessment program, and included over 500 community financial institutions. The Observations are not formal guidance from the FFIEC.
The FFIEC found that cyber risks faced by institutions varied significantly between entities. The FFIEC explained that the level of cyber risk is based on an institution’s activities and connections to the Internet, balanced against any implemented safeguards. The Observations called for greater engagement from senior management and board members in cybersecurity preparedness. The FFIEC offered examples of what elements an institution should review, such as the connection types (e.g., wireless networking and bring-your-own-device policies), the products and services offered, and what technology is used to deliver those services. As well as assessing cyber risk, the FFIEC also suggests that institutions should consider their preparedness for a cybersecurity event, and should review risk management protocols, threat intelligence, cybersecurity controls, and vendor management.
The FFIEC concluded its observations by reissuing its call for greater cybersecurity awareness and engagement by boards of directors and senior management. Additionally, the Observations called for greater integration and information sharing between financial institutions. One way the FFIEC recommends financial institutions to share information is through the FSISAC. In a separate release, the FFIEC explained that the FS-ISAC information sharing is important to mitigating cybersecurity risk and gaining insight into specific vulnerabilities.5