26 Nov 2014
The forthcoming cybersecurity guidance from the Federal Financial Institutions Examination Council is expected to focus on people and processes that defend against specific types of threats, Future IT examinations for all sizes of banking institutions will include reviews of employee awareness of security threats, the depth and breadth of an institution’s training programs, patching policies, and – especially – securing mobile banking. When will the guidance be released? There is no date set as yet for when the guidance will be issued, but all indications point to 2015. Congressional pressure on industries to address the growing numbers of data breaches, combined with the banking industry’s strong interest in delivering mobile services, will likely push the FFIEC to move forward comparatively quickly with this release. To get a head start, look to the risk warnings issued by the FFIEC and its member agencies in 2014 for pointers on what the new guidance will address and require in the way of demonstrable proof from financial institutions. Five Areas of Focus The FFIEC’s pilot program for cyber-risk assessments, conducted at 500 community banks during the summer of 2014, revealed five areas where financial institutions should increase their security programs. As detailed in the Council’s report on its findings, these five areas of focus are:
- Risk management and oversight, including C-level and employee training and awareness of emerging threats.
- Threat intelligence and secure information sharing
- IT security controls, including monitoring and reporting systems
- Management of third-party service providers;
- Disaster recovery and business continuity plans following a breach or other digital security incident.