On December 3, 2014, Sarah Raskin, Deputy Secretary of the U.S. Department of Treasury (Treasury), gave a speech before the Texas Banker’s Association Executive Leadership Cybersecurity Conference. Deputy Secretary Raskin’s remarks provide effective guidance for community bank chief executive officers, chief risk executives and boards of directors to consider when assessing their cybersecurity preparedness. According to Deputy Secretary Raskin, Treasury categorizes their thinking around cybersecurity and financial industry preparedness against cyber-attacks into three activities: (1) baseline protections, (2) information sharing and (3) response and recovery. When analyzing each activity, banks should enhance their cybersecurity risk assessment processes by asking the following questions:
• Is cybersecurity part of our current risk management framework?
• Do we follow the National Institute for Standards and Technology Cybersecurity Framework?
• Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls?
• Do we have cyber risk insurance?
• Do we engage in basic cyber hygiene?
• Do we share information with the Financial Services Information Sharing Analysis Center, as well as other industry groups, and if so, how often?
Response and Recovery
• Do we have a cyber-incident playbook, and who is the point person for managing the response and recovery?
• What roles do senior leaders and the board play in managing and overseeing the cyber incident response?
• When and how do we engage law enforcement after a breach?
• After a cyber-incident, when and how do we inform our customers, investors and the general public?
Deputy Secretary Raskin’s complete remarks regarding cybersecurity for banks are available here.