FFIEC to Prepare New Cyber-Risk PolicyRegulators Reveal More Cybersecurity Initiatives
The Federal Financial Institutions Examination Council plans to take several additional steps to help banking institutions enhance their cybersecurity risk preparedness.
On March 17, the FFIEC revealed plans to update and supplement various booklets in its Information Technology Examination Handbook "to reflect rapidly evolving cyberthreats and vulnerabilities, with a focus on risk management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; and incident management and resilience." It did not indicate when the new policies designed to help institutions address cybersecurity would be issued.
The council also revealed six other key steps:
- Cybersecurity Self-Assessment Tool: The FFIEC plans to issue a self-assessment tool this year to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities.
- Incident Analysis: FFIEC members will enhance their processes for gathering, analyzing and sharing information with each other during cyber-incidents.
- Crisis Management: The FFIEC will align, update and test emergency protocols to respond to systemwide cyber-incidents in coordination with public-private partnerships.
- Training: The council will develop training programs for the staff of its members on evolving cyberthreats and vulnerabilities.
- Technology Service Provider Strategy: The FFIEC's members will expand their focus on technology service providers' ability to respond to growing cyberthreats and vulnerabilities.
- Collaboration with Law Enforcement and Intelligence Agencies: The council will build upon existing relationships with law enforcement and intelligence agencies to share information on the growing cybersecurity threats and response techniques.
These announcements come just one month after the FFIEC issued new business continuity guidelines related to cyber-resilience. The FFIEC's actions are designed to address risks identified during last summer's pilot program for cybersecurity risk assessments (see FFIEC Issues Cyber-Resilience Guidance).
Amy McHugh, an attorney and former FDIC IT examination analyst who now works as a banking consultant for CliftonLarsonAllen, says the FFIEC's announcements were anticipated, considering regulators' recent emphasis on cyberthreat resilience.
Earlier this month, McHugh said many of her bank and credit union clients began contacting her about questions regulators were asking during their cyber-exams.
"One client emailed me today stating the FDIC recommended they develop a cybersecurity policy and program," McHugh told Information Security Media Group on March 12. "In another exam, an FDIC examiner met with two board members separately and asked them about the bank's cybersecurity program, how the board was providing oversight of the program, and the risks they identified for their bank. The examiner seemed to emphasize board oversight."
On the heels of the FFIEC's just-released cyber-resilience guidance, which came as an appendix to the FFIEC's Business Continuity Planning Booklet within the IT Examination Handbook, Deputy Comptroller of the Currency Beth Dugan foreshadowed the issuance of more cybersecurity-related policies (see FFIEC Issues Cyber-Resilience Guidance).
"I can tell you without hesitation that the risks to banks from cyberthreats and vulnerabilities are significant," Dugan said. "The severity of cyberthreats is escalating rapidly, and attackers are exhibiting an increasing ability to exploit vulnerabilities in commonly used infrastructure. While the impact on financial service firms has been relatively limited so far, as we see from experience in other industry sectors, there is a growing possibility for materially severe attacks on banks or the infrastructure on which they depend" (see Regulator Hints at New Cyber Guidance).
Increasing concerns about the risks cyber-attacks pose to financial services and the critical infrastructure are being voiced by numerous banking leaders and regulators. This week, Doug Johnson, senior vice president of payments and cybersecurity policy, testified before a U.S. House subcommittee about the need for more aggressive cybersecurity action.
"Attackers of every variety are also becoming increasingly adept at defeating security practices, increasing the velocity with which companies must move to ensure they understand how cyber-risks are changing and what mitigating measures are most effective against these risks," Johnson said. "It is indeed an arms race. Another increasing challenge for financial institutions and the private sector, generally, is the need to digest an increasingly larger volume of cyberthreat data."Determining the relevance of a particular piece of threat data, analyzing the magnitude of the threat, evaluating which systems might be impacted, and devising the appropriate course to take to mitigate the threat if necessary has become increasingly difficult."