On November 3, 2014, the Federal Financial Institutions Examination Council (FFIEC) released general observations (the FFIEC Observations) based on its 2014 cybersecurity examination work program assessment (the Cybersecurity Assessment) of more than 500 community banks. The Cybersecurity Assessment supplemented regularly scheduled bank examinations, built upon key supervisory expectations contained in existing FFIEC information technology handbooks and highlighted FFIEC’s efforts to promote cybersecurity preparedness for community banks. FFIEC’s Cybersecurity Assessment found that the level of cybersecurity inherent risk varies significantly across financial institutions. The FFIEC Observations are intended to address such risks by providing questions for community bank and other financial institution boards of directors and senior management to consider when assessing cybersecurity risk.
Community banks and other financial institutions should ascertain their inherent risks by assessing the types of connections and technologies used, as well as products and services offered. When assessing inherent risks, boards of directors and senior management should consider the following:
- What types of connections does my financial institution have?
- How are we managing these connections in light of the rapidly evolving threat and vulnerability landscape?
- Do we need all of our connections? Would reducing the types and frequency of connections improve our risk management?
- How do we evaluate evolving cyber threats and vulnerabilities in our risk assessment process for the technologies we use and the products and services we offer?
- How do our connections, products and services offered, and technologies used, collectively affect our financial institution’s overall inherent cybersecurity risk?
The FFIEC Observations and questions to consider are available online.
In addition to assessing inherent risk, the Cybersecurity Assessment reviewed current practices and cybersecurity preparedness by examining financial institutions’ policies and procedures, focusing on the following:
- Risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber incident management and resilience
On November 3, 2014, FFIEC also issued a statement regarding cybersecurity threats, vulnerability monitoring and sharing (the FFIEC Statement). The FFIEC Statement reminded community banks and other financial institutions that cyber attacks pose a variety of risks, including operational risks, fraud losses, liquidity and capital risks, and that information sharing is an important element of risk management processes and their ability to identify, respond to and mitigate cyber threats. FFIEC recommended that banks of all sizes participate in the Financial Services Information Sharing and Analysis Center (the FS-ISAC) to identify, respond to and mitigate cyber threats. The FS-ISAC is a private-sector nonprofit information-sharing forum established by financial services industry participants in response to the federal government’s efforts to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. The FFEIC Statement and additional resources from FFIEC and the FS-ISAC are available online.