Federal Financial Institutions Examination Council Releases Cybersecurity Assessment Results: Boards of Directors and Senior Management Need to Engage

The Federal Financial Institutions Examination Council (FFIEC) released general observations yesterday from a cybersecurity assessment of over 500 community financial institutions. The cybersecurity assessment evaluated the institutions’ preparedness to mitigate cyber risks. It ultimately found that due to the critical dependence of financial institutions on information technology to conduct business operations, combined with increasing sector interconnectedness and the rapidly evolving cyber threats, it is more important than ever before that boards of directors and senior management be engaged in managing cybersecurity risk. The cybersecurity assessment was piloted during the summer of 2014 by FFIEC membership which consists of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee. The assessment supplemented regularly scheduled exams and built upon key supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance. The cybersecurity assessment found that the level of cybersecurity inherent risk varies significantly across financial institutions. Due to the varied risks, the FFIEC stated that it was important for financial institution management to understand their inherent risk to cybersecurity threats and vulnerabilities. The FFIEC recommended a number of questions for chief executive officers and boards of directors to consider when assessing their financial institutions’ cybersecurity. The questions covered topics such as information technology access points and connection types, risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. While the questions may serve as a means to steer policy discussions, at a more basic level, they may serve to connect information technology personnel with senior management and assist with the cybersecurity educational process that is critical in an ever evolving cybersecurity environment. With regard to information technology access points and connection types, the FFIEC recommended that senior management and boards of directors consider the following questions:

• What types of connections does my financial institution have?
• How are we managing these connections in light of the rapidly evolving threat and vulnerability landscape?
• Do we need all of our connections? Would reducing the types and frequency of connections improve our risk management?
• How do we evaluate evolving cyber threats and vulnerabilities in our risk assessment process for the technologies we use and the products and services we offer?
• How do our connections, products and services offered, and technologies used collectively affect our financial institution’s overall inherent cybersecurity risk?

With regard to risk management and oversight, the FFIEC recommended that senior management and boards of directors consider the following questions:

• What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our financial institution?
• How is accountability determined for managing cyber risks across our financial institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?
• What is the process for ensuring ongoing employee awareness and effective response to cyber risks?

With regard to threat intelligence and collaboration, the FFIEC recommended that senior management and boards of directors consider the following questions:

• What is the process to gather and analyze threat and vulnerability information from multiple sources?
• How do we leverage this information to improve risk management practices?
• What reports are provided to our board on cyber events and trends?
• Who is accountable for maintaining relationships with law enforcement?

The FFIEC also recommended that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities. With regard to cybersecurity controls, the FFIEC recommended that senior management and boards of directors consider the following questions:

• What is the process for determining and implementing preventive, detective, and corrective controls on our financial institution’s network?
• Does the process call for a review and update of controls when our financial institution changes its IT environment?
• What is our financial institution’s process for classifying data and determining appropriate controls based on risk?
• What is our process for ensuring that risks identified through our detective controls are remediated?

With regard to external dependency management, the FFIEC recommended that senior management and boards of directors consider the following questions:

• How is our financial institution connecting to third parties and ensuring they are managing their cybersecurity controls?
• What are our third parties’ responsibilities during a cyberattack? How are these outlined in incident response plans?

With regard to cyber incident management and resilience, the FFIEC recommended that senior management and boards of directors consider the following questions:

• In the event of a cyberattack, how will our financial institution respond internally and with customers, third parties, regulators, and law enforcement?
• How are cyber incident scenarios incorporated in our financial institution’s business continuity and disaster recovery plans? Have these plans been tested?

In a press release announcing general observations from the assessment, the FFIEC stated that “[T]he rapidly evolving cybersecurity risks reinforce the need for all institutions and their critical technology service providers to have appropriate methods for obtaining, monitoring, sharing, and responding to threat and vulnerability information. Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly.”   Please contact Christin McMeley with any inquiries at 202.973.4264.