While others were waiting for spring to arrive, community bank officers and directors were waiting for the Federal Financial Institutions Examination Council (FFIEC) to provide additional guidance on its cybersecurity assessment program. On March 17, 2015, FFIEC provided an overview of its cybersecurity priorities for the remainder of 2015. FFIEC’s priorities include seven workstreams based on FFIEC’s cybersecurity work program (Cybersecurity Assessment) conducted at over 500 community banks in the summer of 2014. FFIEC’s top priority for 2015 is the development and issuance of a self-assessment tool that financial institutions can use to evaluate their readiness to identify, mitigate and respond to cyber threats. Consistent with the general observations of the Cybersecurity Assessment, FFIEC will evaluate community bank cyber incident analysis, crisis management, training, and policy development and expand their focus on technology service providers’ cybersecurity preparedness. FFIEC will also improve its collaboration with other agencies and communicate on the importance of cybersecurity awareness and best practices among financial industry participants and regulators. FFIEC’s seven cybersecurity priorities for 2015 are:
- Cybersecurity Self-Assessment Tool—FFIEC plans to issue a self-assessment tool this year to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities.
- Incident Analysis—Bank regulators will enhance their processes for gathering, analyzing, and sharing information with each other during cyber incidents.
- Crisis Management—FFIEC will align, update, and test emergency protocols to respond to system-wide cyber incidents in coordination with public-private partnerships.
- Training—FFIEC will develop training programs for bank examiners on evolving cyber threats and vulnerabilities.
- Policy Development—FFIEC will update and supplement its Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities with a focus on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience.
- Technology Service Provider Strategy— Bank regulators will expand their focus on third party relationships, including technology service providers’ ability to respond to growing cyber threats and vulnerabilities.
- Collaboration with Law Enforcement and Intelligence Agencies—FFIEC will build upon existing relationships with law enforcement and intelligence agencies to share information on the growing cybersecurity threats and response techniques.
Additionally, FFIEC is expected to continue to publish statements and alerts regarding cyber threats and vulnerabilities.