Five Steps to Ensuring a Positive Outcome Rather Than a Nasty Surprise
Rumors abound regarding the unexpected depth and less-than-stellar outcomes of the pilot cybersecurity exams conducted last summer by the Federal Financial Institutions Examination Council (FFIEC). One year later, many banks are unsure what to expect at their next IT exam—or even if that’s where cybersecurity will be addressed—and fear the worst.
But, rather than be paralyzed by that fear, financial institutions must address the key areas on which recent cybersecurity guidance suggests federal regulators will focus at exam time, whether during the IT exam or the Safety and Soundness exam.
Follow these five steps to keep your institution one step ahead of cybercriminals—and in step with regulatory expectations.
Step 1: Know Your Cybersecurity Risk Profile and Maturity Level
What to Expect: Regulatory examiners will now expect banks to have a much better understanding of their cybersecurity risk profile and maturity level.
How to Prepare: The key to gaining that understanding and proving it at exam time is the FFIEC’s recently published Cybersecurity Assessment Tool. It’s surprisingly well organized, easy to use and comprehensive, as it’s based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. So, using either the FFIEC’s assessment or a comparable tool, complete these tasks:
Determine Your Inherent Risk Profile
The assessment helps your bank identify its inherent risks in the following key areas and rate them on a scale of least to most inherent risk:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Determine Your Cybersecurity Maturity
This portion of the assessment walks your bank through its behaviors, practices and processes to see if they adequately support your cybersecurity preparedness. It covers the following domains, to which your bank assigns itself a maturity level based on findings:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
Step 2: Limit Your Exposure
What to Expect: After Step 1, you should have a clear sense of where your bank is exposed—and you can be sure that regulatory examiners are expecting you to have done something to limit that exposure.
How to Prepare: This process can take two forms, depending on the area of exposure and your organizational needs:
Reduce the Level of Risk in Exposed Areas
The first option is to lower the level of risk in exposed areas. For example, through Step 1, your bank may realize it has too many unnecessary Internet-facing servers. Reducing that number can significantly lower your bank’s risk of a breach through those servers.
Increase the Maturity Level in Exposed Areas
Option one may not always be feasible. For instance, limiting customers’ mobile channel options may reduce the bank’s level of hacking risk, but it also would upset customers, exchanging one risk (breach) for another (lost customers). The better option is to increase the cybersecurity maturity level in that area.
Step 3: Include Cybersecurity in Your BCP and Incident Response Plan
What to Expect: Following the publication of Appendix J of the FFIEC’s Business Continuity Planning Booklet, regulatory examiners will expect Business Continuity Programs (BCP), including Incident Response Plans, to be updated with cybersecurity references.
Appendix J outlines specific cyber risks to consider:
- Sophisticated malware focused on data corruption and unauthorized financial transactions
- Insider threats from disgruntled employees or moles planted by cyber criminals
- Data or systems corruption due to a cyberattack
- Disruption of communications capabilities and infrastructure due to a cyberattack
- Simultaneous cyberattacks on financial institutions and their TSPs
How to Prepare: Banks should have updated their BCP by now, but another look before exam time is highly recommended. Go through your bank’s BCP documentation, including your Incident Response Plan, and ensure cybersecurity is adequately addressed and specifically written into the BCP.
Step 4: Evaluate Your Vendors’ Cybersecurity Risk Profiles
What to Expect: Appendix J reminds banks that they are ultimately responsible for the safety and soundness of activities outsourced to TSPs. Examiners will expect banks to have conducted a thorough examination of all vendors, particularly those involved in the most critical operations.
How to Prepare: Starting with your most critical vendors, assess the following three areas based on Appendix J:
- Third-Party Management: Is the vendor’s risk fully identified and adequately controlled?
- Third-Party Capacity: Is the vendor capable of restoring service to all of its clients?
- Third-Party Testing: Has the vendor’s BCP been validated through adequate testing?
Step 5: Educate and Involve Senior Management and the Board
What to Expect: Bank examiners expect to see active involvement by senior management and the board of directors in all matters, including cybersecurity.
How to Prepare: Senior leadership needs to do more than just rubber stamp IT, Information Security and BCP policies and programs every year. They must be properly involved, and their involvement needs to be felt throughout the enterprise. To begin, take these steps:
- Routinely present cybersecurity updates at board meetings: Include internal (new products, technologies, etc.) and external (emerging threats) changes that could alter your bank’s cybersecurity stance.
- Encourage senior leadership to set the tone: Ensure C-suite employee communications routinely include messages about the importance of cybersecurity resilience.
- Document all involvement: Make sure board meeting minutes reflect all cybersecurity discussions and actions, and keep a record to share at exam time.
Expect a Better Outcome at Exam Time by Preparing for It
Examiner expectations regarding cybersecurity are growing, but that doesn’t mean your bank has to expect the worst at its next IT or Safety and Soundness exam. Completing the above steps will prepare your bank and ensure it is speaking the same cybersecurity language as examiners, which is half the battle.
Steve Sanders, CSI’s vice president of Internal Audit, oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. He is a CISA, CRISC, CRMA, and a CTGA, and speaks regularly on information security, cybersecurity and IT audit topics.