Cybersecurity has become a topic of interest to every community bank and credit union due to the growing dependence and reliance on technology, including smart phones and other mobile devices. In the financial industry it has also come under increased regulatory focus, and continues to be a hot topic for the foreseeable future, which is evident with the release of the FFIEC Cybersecurity Assessment Tool (CAT) and the updated FFIEC Management Examination Handbook.
So, exactly what do regulators expect from your community bank, and how does that differ from what you may be doing already? More importantly, with additional new guidance pending, how should you demonstrate cybersecurity compliance?
The FFIEC developed the CAT to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment tool provides a repeatable and measurable process for financial institutions to measure their current state of cybersecurity preparedness, and track changes over time.
The CAT has 2 sections, the inherent risk profile and the cybersecurity maturity level. Inherent risk is a function of type, size and complexity of your institution’s operations, and does not include any existing mitigating controls. The second section of the CAT is designed to help your institution measure their behaviors, practices and processes related to cybersecurity preparedness, resilience, and recovery.
What Comes after the Cybersecurity Assessment?
Once a financial institution has completed both sections, management can create a “gap analysis,” meaning they can decide what actions may be needed to either reduce inherent risks or increase control maturity to bring the actual state in line with the desired state. This is where the biggest challenge may lie for most financial institutions, because the concept of a “desired state” requires you to establish a “risk appetite,” or an acceptable level of cyber risk. For the vast majority of financial institutions offering some electronic banking products, this level is greater than zero, but may have not been formally approved. Once your risk appetite is established, you are then able to determine whether or not your residual risks are acceptable.
Right now, most financial institutions seem to be on the first step of simply completing the CAT. It’s important to note that even though some regulatory agencies have indicated that completion of the tool is not mandatory, all the agencies have stated they intend to use the tool to assess your cybersecurity readiness.
So what should your financial institution be doing now in order to comply with new Cybersecurity regulations?
You need to make sure you have kept your information security, business continuity and vendor management policies and procedures up to date. There is no regulatory requirement to have a separate cybersecurity policy as long as cybersecurity is in each of those existing policies. You need to have procedures in place to secure customer and confidential data and recover critical business processes regardless of the source or nature of the threat. Your risk assessments should all be impact-based, not threat-based, but make sure they all contain specific references to the source of the risk.
Make Sure your Vendor Management Program Accounts for Cyber Threats
Vendor risk assessments will need to be adjusted if they don’t specifically account for cyber threats. For example, critical vendors should be assessed for their exposure to, and protection from cyber threats, with your controls adjusted accordingly (i.e. audit reports, penetration tests, etc.). Your business continuity planning risk assessment should account for the impact and probability of cyber-attacks, as well as traditional fraud, theft and blackmail. Regulators will likely be looking for specific references to cyber concerns, so make sure your Vendor Management policies include a reference to it as well.
Hopefully you’ve already incorporated cyber-based security elements into your overall information security program, and very little adjustment needs to be made. Regardless of what your specific approach to cybersecurity may entail, prepare to discuss what you are doing – and how you are doing it – with the regulators. They will ask about it!