The forthcoming cybersecurity guidance from the Federal Financial Institutions Examination Council is expected to focus on people and processes that defend against specific types of threats,
Future IT examinations for all sizes of banking institutions will include reviews of employee awareness of security threats, the depth and breadth of an institution’s training programs, patching policies, and – especially – securing mobile banking.
When will the guidance be released?
There is no date set as yet for when the guidance will be issued, but all indications point to 2015. Congressional pressure on industries to address the growing numbers of data breaches, combined with the banking industry’s strong interest in delivering mobile services, will likely push the FFIEC to move forward comparatively quickly with this release.
To get a head start, look to the risk warnings issued by the FFIEC and its member agencies in 2014 for pointers on what the new guidance will address and require in the way of demonstrable proof from financial institutions.
Five Areas of Focus
The FFIEC’s pilot program for cyber-risk assessments, conducted at 500 community banks during the summer of 2014, revealed five areas where financial institutions should increase their security programs.
As detailed in the Council’s report on its findings, these five areas of focus are:
- Risk management and oversight, including C-level and employee training and awareness of emerging threats.
- Threat intelligence and secure information sharing
- IT security controls, including monitoring and reporting systems
- Management of third-party service providers;
- Disaster recovery and business continuity plans following a breach or other digital security incident.
The FFIEC’s release on its pilot program provides self-audit questions and guidance on best practices to bolster security in the above five identified domains of concern.
Additional Audit Concentrations
Threat mitigation aimed at thwarting specific threats will also be one of the major concerns of examiners. Banking institutions should prepare to demonstrate how they mitigate the threats posed by known vulnerabilities, as well as their usage and management of preventative, detective, and corrective solutions.
The FFIEC is also expected to include guidance stressing the importance of engaging boards of directors and senior management in managing cybersecurity risk.
The Council also notes that financial institutions participation in information sharing forums (e.g., Financial Services Information Sharing and Analysis Center) “is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.”