On November 3, 2014, the Federal Financial Institutions Examination Council (FFIEC) set out its Cybersecurity Assessment Observations (FFIEC Observations), placing responsibility squarely on the shoulders of bank senior management to understand and mitigate the cybersecurity risks inherent in their financial institutions.
Spurred by significant cybersecurity events in financial institutions that have emphasized the critical role of IT in the ability of a bank to conduct business operations, FFIEC agencies spent the summer of 2014 conducting cybersecurity assessments of 500 community banks. The assessments were done as part of regularly scheduled exams of the banks and built upon supervisory expectations of the banks contained in existing regulatory guidance and FFIEC IT handbooks in particular.
The FFIEC Observations represent the collective evaluations by the FFIEC regulatory agencies of the banks' management of, and preparedness to mitigate, cybersecurity risks. The conclusions have ongoing implications for boards of directors and senior management of all financial institutions and those that do business with them. From the FFIEC's perspective, senior management and boards of directors of all financial institutions must become more actively engaged in the management of risks presented by their financial institutions' critical dependence on IT.
The FFIEC Observations comprise two main areas, (1) Cybersecurity Inherent Risk and (2) Cybersecurity Preparedness. In a nod to the seriousness of the FFIEC's concern, the document "suggests" questions for senior management and boards of directors to assist them in their assessments of their entities' cybersecurity risks and preparedness in dealing with those risks.
Cybersecurity Inherent Risk
The FFIEC Observations define Cybersecurity Inherent Risk as "the amount of risk posed by a financial institution's activities and connections, notwithstanding risk-mitigation controls in place." An assessment of this risk by senior management and the board of directors must consider the type, volume, and complexity of operational considerations, such as connection types, products and services offered, and the technologies used, including internet and mobile applications.
The Cybersecurity Observations reviewed the financial institutions' current practices and overall preparedness, including the following areas of particular concern:
- Risk Management and Oversight;
- Threat Intelligence and Collaboration;
- Cybersecurity Controls;
- External Dependency Management; and
- Cyber Incident Management and Recovery.
Please note that although the Cybersecurity Observations focus on financial institutions, it is important to emphasize – for two reasons – the relevance of this document to those entities, including non-banks, that provide IT and other services to financial institutions. First, financial institutions are expected to understand how their institutions are connected to third parties and to ensure that those third parties are managing their own cybersecurity risks. Second, these same third-party service providers, which include non-banks, can be subject to the jurisdiction and oversight of FFIEC regulatory agencies.
The Cybersecurity Observations also recommend that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). This ISAC is one of a number of nonprofit, industry sector-focused organizations created to quickly share information about data security issues and breaches.
Finally, the members of the FFIEC are reviewing and updating current guidance to financial institutions to align more closely with changing cybersecurity risk. It is clear that the FFIEC, along with every other industry and regulatory body, is struggling to make guidance clear enough to give financial institutions good direction without restricting institutions from taking appropriate advantage of the dynamic opportunities presented by the increasing use of IT.
It is difficult to put a timeline on these updates, but given their importance to the financial regulators, we should expect two developments in the very near future:
- Further formal guidance on cybersecurity risk identification and mitigation; and
- Requirements for boards of directors and senior management to take a more active role in shaping and overseeing these enhanced policies and procedures.