By Tom Hinkel
Cybersecurity has become a topic of interest to every financial institution as regulators increase their focus on cyber risks and controls. Third-party relationships are often the weakest link in the cybersecurity chain, as a whopping 43 percent of companies had a data breach in 2014, according to Ponemon Institute. Subsequently, the release of both the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool and the updated FFIEC Management Examination Handbook has heightened awareness of cybersecurity for the financial industry and the importance of accurate cybersecurity assessments.
The CAT helps financial institutions identify risks and determine cybersecurity preparedness. Further, the CAT provides a repeatable process for financial institutions to measure their current state of cybersecurity preparedness and to track changes. So, what do you need to know about cybersecurity and compliance?
What an Effective Cybersecurity Program Should Include
Cybersecurity is a wide topic that impacts all aspects of your information security program, and ultimate responsibility for cybersecurity rests with the board of directors. Almost all FFIEC examination handbooks list proper governance as the most important quality for compliance. This can be achieved through management structure, assignment of responsibilities and authority, establishment of policies/standards and procedures, allocation of resources, and monitoring and accountability. It is necessary for banks to regularly update policies and procedures, assess risks, identify controls and then test these controls to validate their effectiveness. Consequently, banks must then refine or expand these policies, procedures and practices based on test results. This includes assessing cybersecurity readiness as well.
Cybersecurity activities must be properly informed to be effective, and gathering and exchanging this information with third parties has been garnering added regulatory attention. Threat intelligence and collaboration can be a challenge for smaller financial institutions that don’t have dedicated cybersecurity resources. Even though your community bank may lack the size and complexity of the larger national banks, regulators still expect all financial institutions to identify and monitor cyber threats, and to use that information to inform their own risk environment as well as their specific controls.
For a majority of banks, managing their cybersecurity posture relies heavily on managing risks inherited from the vendors with whom they work. When it comes to securing financial institutions, regulators know that smaller banks may be at more risk since they typically rely more heavily on third parties. As part of a robust vendor management program, regardless of the bank’s size, it is important to pay attention to existing contracts and agreements.Vendors should not be overlooked when preparing for how you would handle a security breach.
This is where incident response and resilience come in to the equation. Ensure your incident response plan (IRP) has been updated to accommodate various types of cybersecurity events and severity levels. Your IRP should contain a method for classifying the severity of the incident, and a tiered response strategy based on that severity. Like any policy, the IRP should be tested periodically and the results should be reported to the board.
What Comes After the Cybersecurity Assessment?
Once your bank has completed both sections of the CAT, management should perform a gap analysis to determine the next steps. The gap analysis should rank in importance the actions needed to reduce risks or increase control maturity in order to bring the actual state of operations in line with the desired state. This desired state should be based on an official risk appetite approved by the board. Once your risk appetite is established, you can determine whether or not your residual risks are at an acceptable level.
As of now, many financial institutions may have taken the time to complete an initial assessment using the CAT. Even though some regulatory agencies have indicated that completion of the tool is not mandatory, all agencies have stated that they intend to use the tool to assess your institution’s cybersecurity readiness. It is in your bank’s best interest to complete the assessment so you can be better prepared for any examination questions.
What Are Your Bank’s Options for Cybersecurity?
The responsibility of managing your bank’s entire cybersecurity program can be a daunting. Managing it all yourself can be challenging, as it can be especially hard to keep up with complex and ever-changing regulations. For example, the CAT assessment itself is 123 pages, with 69 questions and 10 categories. The control maturity section has more than 500 conditional statements you must evaluate. Most small banks don’t have the bandwidth or simply can’t afford to have an internal team dedicated to regulatory management.
Another option is utilizing a local IT service provider; however, local IT service providers typically don’t have experience with regulatory demands bankers face. Auditors and examiners expect thorough documentation and a paper trail to show adherence to daily processes, regardless of institution size. This requires knowledge of your banking applications, cybersecurity and the compliance environment.
Finally, a bank can engage an experienced bank IT and compliance partner to manage cybersecurity. The right IT service provider can couple security measures with an understanding of and support for the unique compliance demands of the banking industry.
A Secure, Simple Solution
Reviewing the requirements for cybersecurity and comparing them with your current policies, procedures and practices is a step in the right direction toward a successful cybersecurity program. Regardless of what your approach to cybersecurity may entail, prepare to discuss what you are doing and how you are doing it with regulators; additionally, be prepared to provide evidence to prove you are doing what you say you are doing.
Tom Hinkel, vice president of compliance services, is responsible for ensuring that Safe Systems’ services (www.safesystems.com) incorporate and abide by appropriate financial industry regulations and best practices. In this position, Hinkel works closely with R&D, product management, and operations managers to ensure that new and existing services comply with FFIEC standards. Most important, by staying current on regulatory issues facing financial institutions, Hinkel serves as a regulatory compliance resource for Safe Systems’ customers.