Threat of Cybercrimes Changes Some Financial Institution Exams
In response to the growing sophistication and volume of cyberthreats, the Federal Financial Institutions Examination Council (FFIEC) is piloting a cybersecurity examination program at 500 financial institutions around the country this summer.
The goal is to raise the awareness of financial institutions and their third-party service providers with respect to IT risks. The council formally announced the program on June 24 with the launch of a cybercrime website.
“The FFIEC wants to develop a baseline assessment across the sector of how institutions are managing their cyberrisks,ˮ says Amy McHugh, an IT consultant with CliftonLarsonAllen. “The assessments will be part of the existing examination process and will be incorporated into information technology reviews during regularly scheduled examinations.ˮ
What's behind the pilot
The FFIEC agencies are taking a number of initiatives to raise the awareness of financial institutions and their third-party service providers of cybersecurity risks and the need to identify, assess, and mitigate these risks.
Information from the pilot effort will help regulators assess how community financial institutions manage cybersecurity and their preparedness to mitigate cyberrisks. Regulators are focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyberincident management and resilience. Another aim of the pilot is to help regulators enhance the effectiveness of supervisory programs, guidance, and examiner training.
What piloted institutions should expect
Financial institutions with federal and state examinations in July should expect an expanded document request list including:
- Cybersecurity risk assessments and policies
- Cybersecurity incident response plans
- Cyberthreat awareness and information sharing procedures
- Descriptions of all third-party access to internal networks
“The process shifts more of the audit emphasis on the security of IT rather than the technical aspects of IT,” says McHugh. “It also shifts the responsibility to senior and executive-level management.ˮ
In addition, there's going to be more of an emphasis on vendor management and the risk ratings of all vendors — not just IT vendors.
What should institutions be doing to prepare?
The pilot announcement comes on the heels of a May 7, 2014, webinar that gave clues on what the FFIEC agencies will be looking for from bank management and boards of directors:
- Setting the tone at the top and building a security culture
- Identifying, measuring, mitigating, and monitoring risks
- Developing risk management processes commensurate with the risks and complexity of the institutions
- Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
- Creating a governance process to ensure ongoing awareness and accountability
- Ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyberrisks
How we can help
One CLA client has already received a cybersecurity request list. We can help you understand your risk profile with an IT risk and vulnerability assessment, and then help you manage risks in line with the complexity and risk profile of your institution. This assessment is part of a full range of information security services to help you develop and maintain a comprehensive cybersecurity program.