The goal, Leet explained, is to use that information to develop more comprehensive examination procedures and provide updates to the guidance in order to help community institutions in the cybersecurity realm.

In November 2014, the FFIEC, on behalf of its members, released observations from the cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center. The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.

“The observation was much more specific,” Marshall explained, adding that it found that boards and senior executives knew very little about the risks to their organizations in regards to cybersecurity. “They told institutions to do a self-assessment and detailed analysis so the board would understand what their risks are and what needs to be done.”

They also discussed incident response planning and what appropriate controls are in place.

“Rapidly evolving cybersecurity risks reinforce the need for all institutions and their critical technology service providers to have appropriate methods for obtaining, monitoring, sharing and responding to threat and vulnerability information,” the FFIEC said. “Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly.”

The FFIEC's “Cybersecurity Assessment General Observations” also provided themes from the assessment and suggested questions for CEOs and boards of directors to consider when evaluating their institutions' cybersecurity preparedness. These included risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management and cyber incident management and resilience.

Read more: A self-assessment tool is in the works for institutions …

“The observance and statements the FFIEC came out with were informational, but it was not guidance,” Marshall stated. “But they did make it clear that they would draft guidance.”

The planned 2015 work includes the development and issuance of a self-assessment tool that financial institutions can use to evaluate their readiness to identify, mitigate and respond to cyber threats. The FFIEC said in a recent press release that they will have a self-assessment toolkit available sometime this year.

The FFIEC plans to also enhance their incident analysis, crisis management, training and policy development, and expand its focus on technology service providers' cybersecurity preparedness. Additionally, it will continue to improve its collaboration with other agencies and communicate on the importance of cybersecurity awareness and best practices among financial industry participants and regulators.

“It helps the regulators serve a two-fold purpose,” Leet said. “They are there for safety and soundness purposes of course. A lot of community institutions lack the resources to assess security. They look to the regulations and guidance to give them a loose framework of the things they need to have in place.”

Marshall added, “They made it very clear that every institution needs to put together a strategy.

My opinion is that [the FFIEC] is going to come out sometime in the June to July timeframe, and they are going to require something such as a self-assessment. Once the guidance is clear that these are the steps expected from every financial institution, we are going to see a flurry of activity and focus.”

Marshall said Gladiator Technology is gearing up and already created a self-assessment based on the FFIEC's observations; CSI has an evaluation program, too.

“We have developed a cybersecurity risk assessment process where we sit down with [financial institutions] and go through the process,” Leet explained. “We score it and then a member of our team goes on-site and gives their controls a score. So it is a thorough quantitative risk assessment.”

One of CSI's clients, the $1.2 billion Hollywood, Calif.-based First Entertainment Credit Union, understands what's at stake.

“We take securing our members' information very seriously,” Janet Phillips, CIO for First Entertainment CU, explained. “In addition to being a regulatory requirement, conducting the cybersecurity risk assessment helps us identify security needs and prioritize projects to continually enhance our security position against evolving threats.”