Cyberattacks aren’t limited to just data breaches these days—there are a litany of prevalent cyber risks threatening your financial institution. Sure, data breaches are getting the most attention, but your institution faces more than just one category of cyber risk. Whether it’s system outages, a distributed denial of service (DDoS) attack or any other cyber incident, you need to be prepared to fight.
To ensure your financial institution has a strong strategy for cybersecurity preparedness, the Federal Financial Institutions Examination Council (FFIEC) recommends you take a comprehensive approach to maintain the security and resilience of your technology infrastructure. And that includes establishing of a robust cybersecurity framework.
5 Key Elements for a Strong Cybersecurity Framework
To fight back against cyber threats, the FFIEC recommends your financial institution’s cybersecurity framework focus on five key areas:
- Cyber Risk Management and Oversight
To strengthen management and oversight of your financial institution’s cybersecurity strategy, follow these four steps:
- Test your policies and procedures with regular information security reviews and IT audits
- Support your risk management program by using the FFIEC Cybersecurity Assessment Tool
- Provide training and resources to employees that are easy to understand; and ensure IT and information security staff keep up with their training, too
- Educate and engage senior management and the board to develop a strong culture of security
- Threat Intelligence and Collaboration
To ensure you have the most updated information about industry threats, subscribe to email lists and collaboration services from reputable resources like:
- Cybersecurity Controls
Implement cybersecurity controls to help your financial institution prevent, detect and mitigate cybersecurity events. There are three categories of cybersecurity controls:
- Physical Security Controls: These controls traditionally tighten perimeter building security and limit access to server rooms and network operations centers.
- Logical Security Controls: This is your first line of defense if a hacker breaches your physical controls. Logical controls typically include identification, authentication, authorization and accountability tools.
- Other Controls: This category includes policies and procedures, training and education, and employee reaction and response.
- External Dependency Management
Manage any external solutions that your institution uses by undergoing these three evaluations:
- Business impact analysis (BIA): Determine the likely impact to your organization if a vendor, product or service ceased to exist or function properly
- Cybersecurity risk assessment: Identify the risks for a particular vendor or service and how likely each risk is to affect that relationship so you can prepare accordingly
- Vendor management: Read the FFIEC’s new Appendix J from the Business Continuity Handbook to help determine if adequate controls are in place among external dependencies
- Incident Management and Resilience
Update your incident response and business continuity plans (BCP) to include the words “cyber incident” and/or “cyber risks.” While these topics may already be covered, the verbiage reduces questions and helps satisfy regulators. Be sure your plans actually contain the information needed to help you effectively respond to cyber attacks.
Get a Little Help from Your Friends
Does cybersecurity feel overwhelming? You’re not alone. Trusted third-party providers can help you effectively address and manage risk so you can build a strong cybersecurity program. Get a little help from your friends—know your risks, protect your data and feel confident in your regulator-recommended approach to cybersecurity preparedness.
Steve Sanders, CSI vice president of Internal Audit, oversees the evaluation of risks associated with IT, financial and operational systems. He has a strong knowledge of cybersecurity and privacy, accompanied by an educational background in computer security and data protection. Steve has a unique ability to simplify these complex topics and increase awareness, and as such, he regularly speaks at conferences on information security, cybersecurity and risk management.