9 Dec 2014
Security awareness will be a focus for banking regulators in 2015, with a focus on financial institutions’ C-suite executives and boards of directors. It’s likely that an in-depth refresher program will be a must for many, as new regulations are more complex and put a strong emphasis on cybersecurity preparedness. One resource that financial institutions may wish to consider when choosing training is the free cybersecurity education program supported by the Department of Homeland Security and the Federal Emergency Management Agency. (Thank you to http://www.bankinfosecurity.com for alerting us to this offering.) The newly updated cybersecurity curriculum is part of a series of courses offered by the National Cybersecurity Preparedness Consortium, a partnership between Texas A&M’s Engineering Extension Service, The University of San Antonio, the University of Memphis, Norwich University and the University of Arkansas. Available classes include offerings specifically created for professionals without technical backgrounds, with a focus on helping executives understand and drive security initiatives, along with developing and sustaining a company-wide security culture. Look for the “Executive Leadership and Management Services” courses on Texas A&M’s website. Coursework is taught by security industry professionals and university professors, and can be freely used by any financial institution as part of its training programs. In addition to executive education, banks and credit unions should be developing their plans for training the entire workforce, developing methods for staying current with security issues – particularly of emerging threats, and provably demonstrating that all reasonably possible and required good faith efforts to safeguard customer data and PII [personally identifiable information] are being practiced. As noted in our recent post on forthcoming cybersecurity guidance from the Federal Financial Institutions Examination Council, future IT examinations for all sizes of banking institutions will include reviews of employee awareness of security threats, the depth and breadth of an institution’s training programs, patching policies, and – especially – securing mobile banking. Other areas of focus will include risk management and oversight, threat intelligence and secure information sharing, IT security controls, including monitoring and reporting systems, management of third-party service providers, and disaster recovery and business continuity plans following a breach or other digital security incident. The FFIEC has released guidance on best practices to bolster security in these five focus areas.