Tag: ACET

12 Nov 2020
The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

In response to the Coronavirus pandemic, many financial institutions have implemented new technologies and made modifications to their IT infrastructure to better serve customers, members, and employees during this time. These changes may have increased the institution’s inherent risk profile, however, making it necessary to review the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) or National Credit Union Association’s Automated Cybersecurity Examination Tool (ACET). When adjustments are made to the organization, community banks, and credit unions must evaluate their risks and perform a gap analysis to ensure the institution is protected from cyber threats.

What is a Cybersecurity Gap Analysis?

A cybersecurity gap analysis starts evaluating the results of the CAT or ACET, (which is simply a snapshot in time of where you are with your risks (inherent risk profile) and controls (cybersecurity maturity) and then comparing “where your institution is” to “where you need to be.” In almost every case, there is some degree of misalignment between the two. Some common questions financial institutions ask are “Could we be doing more to oversee our cloud providers?” or “Should we be doing more to manage our internal administrators or third parties?” The idea of the gap analysis is to take your risk areas and determine what set of controls are most effective against those specific risk areas.

Completing the Cybersecurity Maturity section, for example, helps financial institutions better identify missing controls and processes. So, in order to increase the level of cybersecurity maturity, institutions should continually implement changes even if their inherent risk profile doesn’t change. Conducting a gap analysis is the first step in this process.

Continuous Improvement

Why should institutions strive to continuously improve their security posture even if their risk profile doesn’t increase? Simply put, because the threat environment is constantly evolving. New threats (and new twists on old threats) require constant vigilance and continuous improvements to existing controls. Standing still means you’re probably falling behind. On the other hand, making steady, incremental progress on your control maturity demonstrates a proactive, forward-thinking approach to cybersecurity.

Key Areas of Focus

First, financial institutions must determine if their controls and risks align – no small task as there are roughly 30 risk elements and nearly 500 control maturity elements in the assessment. Attempting to improve all of these areas in the CAT can be challenging and expensive for any institution, but especially smaller community banks and credit unions. While all control maturity domains are important, if your financial institution has limited resources, there are two key domains that you should focus your attention on when developing the gap analysis.

  • Domain 4: External Dependency Management
  • This domain involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships that provide access to the institution’s technology and information. Most financial institutions have a host of outsourced relationships that they rely on to keep operations running. Evaluating the interdependencies and associated security gaps from third-party vendors should be a key part of your analysis process.

  • Domain 5: Cyber Incident Management and Resilience
  • This domain focuses on establishing, identifying, and analyzing cyber events, as well as the ability to prioritize, contain, and mitigate during cyber events. The institution should also have the ability to properly inform the appropriate stakeholders in response to a cyber event. Cyber resilience includes both planning and testing to maintain and recover ongoing operations during — and following — a cyber incident. In the current security environment, it’s not if a cyber event will occur but when. Financial institutions should have an effective cyber incident response plan to control, contain, and recover from a potential cyber incident.

For more information, watch our Banking Bits and Bytes episode, “What is a Cybersecurity Gap Analysis?”

18 Jun 2020
Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

  • Review all guidance and issues related to their institution and become familiar with any changes that might impact them
  • Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
  • Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

  • Analyzing potential threats
  • Assessing the technology required
  • Managing access controls and security
  • Conducting regular data recovery test
  • Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”