The federal government expects banks to get a lot more serious about cybersecurity.
For the first time in history, the US Treasury Secretary has criticized the nation’s safeguards to protect against cybersecurity attacks on our financial infrastructure. In response, the Federal Financial Institutions Examination Council (FFIEC) took three initial steps to increase awareness in the US banking system:
The Office of the Comptroller of the Currency (OCC) and other agencies have also joined in the effort.
There’s a reason why regulators are emphasizing cybersecurity. Unlike past years, bank regulators and security officials are no longer focusing exclusively on detecting fraud in our nation’s financial industry. Their attention has expanded to include potential damage to the national financial infrastructure from a cyberwar and other Internet-based threats.
Point-of-sale attacks against major retailers, including Target Corp., Neiman Marcus, and Michaels, are only the start, according to Treasury Secretary Jacob Lew. "Our cyberdefenses are not yet where they need to be," he said a few weeks ago. He predicted a cyberattack, even if it didn’t directly attack a bank or other financial institution, could cause “catastrophic damage.”
The federal government’s first large-scale initiative is a cybersecurity risk assessment pilot program targeting more than 500 community banking institutions, overseen by the Federal Financial Institutions Examination Council (FFIEC). The goal is to raise awareness of cybersecurity risks at financial institutions and to help those institutions better identify, assess, and mitigate those risks.
That pilot program contains three major objectives:
For banks, two major areas of concern with the pilot have not been fully addressed.
So far, the FFIEC has only said that the initial risk assessments will be used to evaluate the current level of cybersecurity awareness and readiness among banks, and establish a baseline for future recommendations.
Institutions will be expected to demonstrate that they understand the cybersecurity risks they and the industry face, and have strategies and tactics to identify and mitigate those risks.
The FFIEC and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Recently published guidelines cover the four key areas the FFIEC believes are most important:
Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.
Begin at the top. Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.
Be aware. Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
Align strategies. Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.
Manage risks. Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.
Establish governance. Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization (especially senior management) and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.
Participate. Take part in government and industry information-sharing groups and learn from other institutions and government officials.
Conduct ongoing training. As always, the three critical components of risk management are people, processes, and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.
Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.
Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward, and the time to prepare is now.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.