Cybersecurity is a serious concern for banks today. Hackers have stolen more than $1 billion from banks, as well as sensitive customer data, bank email information, ATM data, and PIN numbers. They have managed to do this in various ways such as reprogramming a bank’s ATMs or hacking into the online platform. Hackers are clever so banks must step up and be even more vigilant!
FFIEC Cybersecurity Guidance
In fact, in light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT)to help institutions identify their risks and determine their cybersecurity maturity. The assessment provides institutions with a repeatable and measureable process to inform management of their institution’s cybersecurity risks and preparedness.
Is Your Bank Ready to Discuss Cybersecurity with Regulators?
Recently I had the privilege to teach at the Southeast Community Bank Symposium at Georgia Southern University. This symposium consisted of senior leaders from banks in the southeast (CFO, senior lenders, President, CEO, and board members). I was tasked with educating the group on cybersecurity, and I focused on threats, examiner expectations, and best practices for the management of cybersecurity risk. My goal was to provide the audience with a better understanding of cybersecurity and some tangible takeaways to manage this risk at their banks.
As part of the session I informally polled the audience regarding how many of them had filled out the CAT. To my surprise, only about 10-15 percent raised their hands. I determined that either the bank filled out the CAT without including senior leaders in the process, or the bank simply did not fill out the CAT at all.
Does Your Leadership Team Fall into These Categories?
If so, here are some things to think about:
- Opt-out? The regulators are stating that filling out the CAT is optional. While the CAT is not a requirement to complete, all government agencies have stated they intend to use the tool to assess an institution’s cybersecurity readiness. Regulators have already begun to issue citations to financial institutions that have lapses or are not meeting regulations. If you have not completed the CAT, your bank should expect to have findings targeting the management team, not just IT/Operations.
- Same bank, different employees, different answers. All employees need to be on the same page and complete the CAT with the same answers. Your entire team, including management, needs to be trained, informed, and truly understand its cybersecurity plan. This should result in employees communicating consistent and accurate information to regulators.
- What’s your risk level? Every bank thinks their cybersecurity risk is minimal on the threat level, and that is just not the case. Innovative banking technology has clearly improved the customer experience, and has even transferred activities that had to happen at the branch to computers and mobile devices. This expansion of the availability of technology is great in many ways, but at the same time this technology increases the risks to your institution.
- Cybersecurity is a real threat. What would happen to your bank if hackers got control of your core data and would not let you access the systems? How much protected information could the hackers get if they controlled access to your key systems? What would happen to your business and reputation if you did not have access to your IT systems for 10 days, and then the hackers deleted the data?
How to Engage Bank Management
What should you do if your management team is not engaged, or the bank has not filled out the CAT? Here are the best next steps:
- Complete the CAT as a management team (NOT just Operations/IT)
- Educate Senior Management and the Board on the risk findings and the gaps in your current cybersecurity control maturity
- Validate maturity level meets risk level through testing that emphasizes cyber threats
Dispelling 5 IT Outsourcing Myths within Financial Institutions
The 4 Best Ways to Manage Cybersecurity Risk
Banks must incorporate cybersecurity into the bank’s overall risk-management framework. This includes a well-managed set of overlapping security controls to help prevent, detect, or recover from cybersecurity events. The FDIC recently encouraged bank supervisors to focus on four critical components to manage cybersecurity risk:
- Corporate governance
- Threat intelligence
- Security awareness training
- Patch-management programs
While all four areas are necessary, patch management programs are vital. The lack of a solid patch management program has led to an increasing number of security incidents. An efficient patch management system should include written policies and procedures to identify, prioritize, test, and apply patches in a timely matter. Without efficient patch management in place banks leave themselves vulnerable.
Safe Systems Can Help!
With the increase in cybersecurity risk comes the promise of additional guidance to come. Safe Systems can help your financial institution manage its cybersecurity program and meet the compliance needs that come with government regulations. As a trusted advisor exclusively serving financial institutions, Safe Systems offers a network management solution to enhance your institution’s cybersecurity posture – one that includes a comprehensive and highly automated patch management capability to fit your bank’s needs.