Because of the prevalence of outsourcing, for most financial institutions cybersecurity readiness means effectively managing your vendors and having a proven plan in place to detect and recover if a cyberattack occurs. However, according to the FDIC, a cybersecurity risk management program should contain a bit more.
An Effective Cybersecurity Program Should Contain these Four Elements:
- Governance: risk management and oversight
- Threat intelligence and collaboration: Internal & External Resources
- Third-party service provider and vendor risk management
- Incident response and resilience
Let’s look into each area with a little more detail and discuss how you can best comply with each requirement:
Virtually all FFIEC examination handbooks list proper governance as the first and most important item necessary for compliance. According to the FFIEC, governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, and monitoring and accountability.
In order to comply with the governance regulations, you should regularly update and test your policies, procedures and practices. It’s important to verify that cyber threats are specifically included in your information security, incident response and business continuity policies. To assess your cybersecurity risk, focus on your controls in three categories: preventive, detective, and responsive/corrective and make sure all results are documented. Adjust your policies, procedures and practices as needed based on the risk assessment results.
Threat Intelligence and Collaboration
This element reflects both the complexity and the pervasiveness of the cybersecurity problem, and can be a particular challenge to smaller institutions who often lack dedicated cybersecurity resources.
Regulators expect all financial institutions to identify and monitor cyber threats to their organization, and to the financial sector as a whole, and to use that information to inform their own risk environment as well as their specific controls.
Third-party Service Provider and Vendor Risk Management
For the vast majority of outsourced financial institutions, managing cybersecurity really comes down to managing the risk originating at third-party providers, also known as “inherited risk”. Smaller institutions might be even more at risk because they tend to rely more on third parties and tend to lag behind larger institutions when it comes to vendor management.
Regardless of size, all institutions should employ basic vendor management best practices to understand and control third-party risk. Pay particular attention to the existing contracts and agreements to understand what elements are in place for protecting the institution against cyber threats, and how you’ll be notified in the event of a security breach involving you or your customer’s data.
Incident Response and Resilience
Incident response has been mentioned in all regulatory statements about cybersecurity, and for good reason – regardless of whether it originates internally or externally, a security incident is a virtual certainty. Regulators know that, although vendor oversight does provide some measure of assurance, you have very little actual control over specific vendor-based preventive controls. As a result, responsive and corrective controls must compensate for such.
Make sure your incident response program (IRP) has been updated to accommodate a response to a cybersecurity event. All IRP’s should contain the incident response team members, a method for classifying the severity of the incident, a response based on severity, including internal escalation and external notification, and periodic testing and board reporting.
It is important for all community financial institutions to review the requirements for cybersecurity and ensure all components are included in your current policies, procedures, and practices. All measures should be documented and ready to be shared and discussed with regulators.
For more information on what you should be doing to comply with cybersecurity standards, download our complimentary eGuide, Understanding the Cybersecurity Expectations for Financial Institutions.