In February, 2016, the Division of Risk Management Supervision of the Federal Deposit Insurance Corporation (“FDIC”) published “A Framework for Cybersecurity.” The article provides a good “sanity check” for financial institutions to ensure that they are using best practices to manage and update their information security programs as needed to ensure that the programs are prepared for new and emerging cybersecurity threats. Under the Gramm Leach Bliley Act (GLB Act), and its implementing FDIC Rules (Appendix B) and the Federal Reserve’s Interagency Guidelines Establishing Information Security Standards, financial institutions must develop and maintain an effective information security program. The FDIC article proposes a new cybersecurity framework that would “modify” existing information security programs at financial institutions to address emerging cyber risks” as “the operating environment and threat landscape change.” This cybersecurity framework should also be regularly evaluated and updated. In other words, the information security program must include an ongoing risk assessment process, including an audit program to validate that the designed “cyber risk control structure” is adequate and effective.
What steps can your bank undertake to maintain an information security program with an adequate and effective cyber risk control structure to protect itself and its customers?
The article discusses four critical components of any cyber risk control structure, all of which can be considered industry “best practices” for national banks and community banks alike:
- Corporate Governance of Cybersecurity – executive management and the Board of Directors must play a “key role” in overseeing cyber risk control programs and establishing a “corporate culture prioritizing cybersecurity”;
- Threat Intelligence – Under the November, 2014 Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement, bank management is expected to monitor cybersecurity threats and vulnerability information so they may “evaluate risk and respond accordingly.” In other words, each financial institution must have an ongoing program for gathering, analyzing and sharing “actionable intelligence” about threats and vulnerabilities. Among recommended sources for such “actionable intelligence” are:
- The Financial Services Information Sharing and Analysis Center (FS-ISAC), is an information-sharing forum to facilitate sharing of cybersecurity threat and vulnerability information. www.fsisac.com (tel. 1/800-464-0085). FS-ISAC provides analysis and mitigation strategies on information security, physical security, disaster recovery, fraud investigations and payment system risk. It also offers webinars, workshops, threat exercises, and has established a community bank working group with weekly cyber updates.
- The US Computer Emergency Readiness Team (US-CERT)/DHS, is focused on current security issues, vulnerabilities and “exploits.” Alerts can be subscribed to at www.us-cert.gov and US-CERT offers publications, educational material and some assistance with cyber threats.
- Security Awareness Training – Making cybersecurity awareness training available to bank personnel, contractors, customers, merchants and other parties who are potential access points to a bank’s data systems. In one cited example, corporate account takeovers typically occur when a customer’s login credentials are stolen, resulting in unauthorized money transfers from compromised accounts. And even customer service personnel can be fooled by “pretexting” fraud into divulging passwords or log-in credentials to a person claiming to be an “IT” colleague or contractor.
- Patch Management Programs – An effective program should include written policies and procedures to recognize, prioritize, test, and implement timely patches to intervene on known vulnerabilities in applications and operating systems. This includes creating an “asset inventory” cataloguing all systems, including software and firmware (routers and firewall operating systems), and requiring patch management oversight, including oversight of systems that are upgraded or patched by vendors. An effective program should also respond to threat intelligence sources that report on specific vulnerabilities. Finally, management should develop longer term technology strategies to migrate from unsupported or obsolete systems or applications.
The article also discusses a variety of free FDIC cybersecurity resources available for community banks, including the Cyber Challenge exercise (found under the Community Banking Initiative link on the FDIC website); periodic cybersecurity awareness training programs for FDIC-supervised institutions held in FDIC regional offices; and recent cybersecurity video simulation available on the FDIC website. Finally, in 2014 the FFIEC Cybersecurity and Critical Infrastructure Working Group (CCIWG)) conducted a pilot cybersecurity assessment at more than 500 community financial institutions to evaluate preparedness. The results were reflected in the FFIEC document “Cybersecurity Assessment General Observations” which offers suggested questions for CEOs and Boards of Directors to ask when assessing their own institution’s cybersecurity preparedness.