Hikers climb a rocky path

The federal government expects banks to get a lot more serious about cybersecurity.

For the first time in history, the US Treasury Secretary has criticized the nation’s safeguards to protect against cybersecurity attacks on our financial infrastructure. In response, the Federal Financial Institutions Examination Council (FFIEC) took three initial steps to increase awareness in the US banking system:

  1. Launched a new web page to consolidate cybersecurity sources that can be easily accessed by banks;
  2. Hosted webinars for bank CEOs, senior management, and audit committees to make them aware of cyber threats and their role in mitigating them; and
  3. Created a pilot program to conduct cybersecurity risk assessments.

The Office of the Comptroller of the Currency (OCC) and other agencies have also joined in the effort.

Expanded focus

There’s a reason why regulators are emphasizing cybersecurity. Unlike past years, bank regulators and security officials are no longer focusing exclusively on detecting fraud in our nation’s financial industry. Their attention has expanded to include potential damage to the national financial infrastructure from a cyberwar and other Internet-based threats.

Point-of-sale attacks against major retailers, including Target Corp., Neiman Marcus, and Michaels, are only the start, according to Treasury Secretary Jacob Lew. "Our cyberdefenses are not yet where they need to be," he said a few weeks ago. He predicted a cyberattack, even if it didn’t directly attack a bank or other financial institution, could cause “catastrophic damage.”

New cybersecurity risk assessments

The federal government’s first large-scale initiative is a cybersecurity risk assessment pilot program targeting more than 500 community banking institutions, overseen by the Federal Financial Institutions Examination Council (FFIEC). The goal is to raise awareness of cybersecurity risks at financial institutions and to help those institutions better identify, assess, and mitigate those risks.

That pilot program contains three major objectives:

  1. Educating financial institutions about the pilot program and holding bank executives and audit committees responsible for identifying, managing, and mitigating risks
  2. Identifying concrete action steps banks can take to ensure their cybersecurity strategy will meet current and evolving government regulations
  3. Conducting cybersecurity risk assessments to test the awareness and readiness of community banks and credit unions

For banks, two major areas of concern with the pilot have not been fully addressed.

  1. Will institutions be able to share information openly and honestly without fear of penalties or other repercussions? Banks have argued that, without a “safe harbor,” they may be reluctant to offer information. If the government wants institutions to treat cybersecurity as a shared problem, a safe harbor where banks can offer information without repercussions is critical.
  2. What will the cybersecurity risk assessments measure, and what results do regulators and examiners expect? The FFIEC has given general guidelines, but banks would like more detailed information.

So far, the FFIEC has only said that the initial risk assessments will be used to evaluate the current level of cybersecurity awareness and readiness among banks, and establish a baseline for future recommendations.

Institutions will be expected to demonstrate that they understand the cybersecurity risks they and the industry face, and have strategies and tactics to identify and mitigate those risks.

Cybersecurity and FFIEC guidance

The FFIEC and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Recently published guidelines cover the four key areas the FFIEC believes are most important:

  1. Governance. What are the bank’s policies and procedures? How does the bank establish and communicate expectations and conduct training? Is the entire organization, not just the IT department, involved in addressing cybersecurity risk? How would the institution react if something goes wrong?
  2. Threat intelligence. How does the institution monitor and remain aware of potential threats? What internal and external resources does the bank utilize to keep up to date on potential risks? What threat detection tools does the institution use? Does the bank participate in the FBI’s InfraGard and other intelligence sharing programs? How does the bank monitor and guard against unforeseen threats?
  3. Third-party relationships. As banks continue to outsource more non-core activities, the responsibility to manage cybersecurity with third party vendors is also increasing. Does the bank follow the OCC guidelines? Can the bank’s third parties pass the scrutiny of independent reviews (e.g. Service Organization Control (SOC 1, 2, 3) examinations)? It should be noted that the data breach at Target occurred, at least in part, because of the activities of a third party vendor, and the FFIEC is focused on preventing that type of vulnerability within the banking system.
  4. Incident response. At last count, there were forty-six state laws and innumerable federal laws and regulations that address the reporting of data breaches of different types. Many of these laws and regulations differ in terms of when breaches must be reported and to whom. Determining if a breach actually occurred and how it occurred may add both time and complexity to the incident reporting process. A strong and effective incident response plan may help banks cut the time needed to manage and report the incident. It is critical that institutions have an incident response plan that can be successfully executed.

Cybersecurity steps to take now

Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.

Begin at the top. Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.

Be aware. Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).

Align strategies. Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.

Manage risks. Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.

Establish governance. Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization (especially senior management) and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.

Participate. Take part in government and industry information-sharing groups and learn from other institutions and government officials.

Conduct ongoing training. As always, the three critical components of risk management are people, processes, and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.

Getting outside support

Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.

Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward, and the time to prepare is now.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

Next up

COSO Internal Control–Integrated Framework: What is it and how does it work?