Cybersecurity is a key issue for banks today, so it’s no surprise that federal and state regulators have been scrutinizing banks’ information security (IS) efforts. Recently, several federal and state regulatory agencies have taken some new steps in the ongoing effort to protect sensitive account information. In light of the heightened scrutiny — and the significant risks involved — it’s a good idea for all banks to review and, if necessary, update their cybersecurity programs.
In September 2016, the Federal Financial Institutions Examination Council (FFIEC) updated its Information Security booklet, part of its Information Technology Examination Handbook. The booklet provides banks with an excellent framework for evaluating and strengthening their cybersecurity programs.
Also in September, the New York State Department of Financial Services proposed comprehensive cybersecurity requirements for banks and other financial institutions. (See “State regulation of cybersecurity: A burgeoning trend?”) Finally, in October 2016, the OCC, FDIC and Federal Reserve issued a joint proposal to develop enhanced cyber risk management standards for the largest financial institutions (those with total consolidated assets of $50 billion or more).
What Examiners Look For
According to the FFIEC booklet, an effective IS program should cover four key areas: 1) risk identification, 2) risk measurement, 3) risk mitigation, and 4) risk monitoring and reporting. The 95-page publication contains detailed guidance on identifying threats, measuring risk, defining IS requirements and implementing appropriate controls.
An appendix contains updated examination procedures, providing valuable insights into examiners’ cybersecurity expectations. The procedures are designed to meet a number of examination objectives, including determining whether management:
- Promotes effective governance of the IS program through a strong IS culture, defined responsibilities and accountability, and adequate resources,
- Has designed and implemented the program so that it supports the bank’s IT risk management process, integrates with its lines of business and support functions, and is responsive to the cybersecurity concerns associated with the activities of technology service providers and other third parties,
- Has established risk identification processes,
- Measures risk to help guide the development of mitigating controls,
- Effectively implements controls to mitigate identified risk, and
- Has effective risk monitoring and reporting processes.
In addition, it’s important to ascertain whether security operations encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources. Implementing assurance and testing activities to provide confidence that the program is operating as expected and reaching its goals is also necessary.
Although the guidance applies to all types of institutions, the booklet emphasizes that banks should develop and maintain risk-based IS programs commensurate with their size and operational complexity.
Focus on Security Operations
The updated publication contains a new section on security operations that emphasizes:
Threat identification. A bank should go beyond risk identification to pinpoint specific threat sources and vulnerabilities and analyze the potential for exploitation. Management can use this information to develop strategies and tactics for protecting the bank’s IT system and detecting attacks.
Threat monitoring. Threat monitoring — both continual and ad hoc — is critical. And management should clearly delineate the responsibilities of security personnel and system administrators as well as review and approve monitoring tools and the conditions under which they’re used. Monitoring should focus not only on incoming network traffic, but also on outgoing traffic to identify malicious activity and data exfiltration.
Incident identification and assessment. Management needs a process that will identify compromise indicators — for example, antivirus alerts or unexpected file changes or logins — and rapidly report them for investigation.
Incident response. A bank’s incident response plan should include defined protocols for containing an incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, and providing customer assistance.
Banks often outsource services, such as data and transaction processing, cloud computing and even information security. But management remains responsible for ensuring the bank’s system and information security.
Oversight of outsourced activities includes due diligence in selecting and managing third-party service providers. In addition, management should obtain contractual assurances for security, controls and reporting; get nondisclosure agreements regarding the bank’s data and systems; and arrange for independent auditing and testing of third-party security.
Get with the Program
Given the level of regulatory activity related to cybersecurity and the serious consequences of a data breach, banks can expect scrutiny of IS programs to intensify. Now’s the time to review your program to ensure that your institution is protected.
Sidebar: State Regulation of Cybersecurity: A Burgeoning Trend?
In September 2016, the New York State Department of Financial Services (DFS) proposed comprehensive cybersecurity requirements for banks and other financial institutions under its jurisdiction. Among other things, the proposal would require banks to undertake the following steps:
- Establish and maintain a cybersecurity program — reviewed by the board of directors and approved by a senior officer — designed to ensure the confidentiality, integrity and availability of its information systems.
- Incorporate certain mandatory functions into the program, designed to identify risks, implement defensive infrastructure and policies, detect and respond to cybersecurity events, and fulfill regulatory reporting obligations.
- Appoint a chief information security officer with specified responsibilities, including providing the board with biannual written assessments of the program.
- Adopt written cybersecurity and third-party information security policies addressing specified areas.
- File annual certifications of compliance with the DFS and report material cybersecurity events to the agency within 72 hours.
If finalized, the proposed regulations likely would affect not only New York banks, but also banks that do business in New York. This also could mark the beginning of a trend toward increased state regulation of cybersecurity.