In March, the Federal Financial Institutions Examination Council provided an overview of its 2015 cybersecurity priorities, which included work streams and a self-assessment tool, and industry observers believe this is a precursor to issuing cybersecurity guidance.

The priorities grew out of last year's pilot assessment of cybersecurity readiness at more than 500 financial institutions, conducted by state and federal regulators during regularly scheduled examinations. The information pilot effort helped assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks.

“The FFIEC created a task force focused on cybersecurity as a result of all the breaches and cyberattacks,” Jackie Marshall, director of IT regulatory compliance for Gladiator Technology, a part of the Dallas-based ProfitStars, a Jack Henry Company, said. “It wanted to see where institutions were in their strategy in terms of cybersecurity.”

Tyler Leet, director of risk and compliance services at the Paducah, Ky.-based CSI, added, “They wanted a better understanding of where community financial institutions stood with their cybersecurity posture and the controls they had in place, and areas they think need to be improved.”

The goal, Leet explained, is to use that information to develop more comprehensive examination procedures and provide updates to the guidance in order to help community institutions in the cybersecurity realm.

In November 2014, the FFIEC, on behalf of its members, released observations from the cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center. The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.

“The observation was much more specific,” Marshall explained, adding that it found that boards and senior executives knew very little about the risks to their organizations in regards to cybersecurity. “They told institutions to do a self-assessment and detailed analysis so the board would understand what their risks are and what needs to be done.”

They also discussed incident response planning and what appropriate controls are in place.

“Rapidly evolving cybersecurity risks reinforce the need for all institutions and their critical technology service providers to have appropriate methods for obtaining, monitoring, sharing and responding to threat and vulnerability information,” the FFIEC said. “Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly.”

The FFIEC's “Cybersecurity Assessment General Observations” also provided themes from the assessment and suggested questions for CEOs and boards of directors to consider when evaluating their institutions' cybersecurity preparedness. These included risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management and cyber incident management and resilience.

Read more: A self-assessment tool is in the works for institutions …

“The observance and statements the FFIEC came out with were informational, but it was not guidance,” Marshall stated. “But they did make it clear that they would draft guidance.”

The planned 2015 work includes the development and issuance of a self-assessment tool that financial institutions can use to evaluate their readiness to identify, mitigate and respond to cyber threats. The FFIEC said in a recent press release that they will have a self-assessment toolkit available sometime this year.

The FFIEC plans to also enhance their incident analysis, crisis management, training and policy development, and expand its focus on technology service providers' cybersecurity preparedness. Additionally, it will continue to improve its collaboration with other agencies and communicate on the importance of cybersecurity awareness and best practices among financial industry participants and regulators.

“It helps the regulators serve a two-fold purpose,” Leet said. “They are there for safety and soundness purposes of course. A lot of community institutions lack the resources to assess security. They look to the regulations and guidance to give them a loose framework of the things they need to have in place.”

Marshall added, “They made it very clear that every institution needs to put together a strategy.

My opinion is that [the FFIEC] is going to come out sometime in the June to July timeframe, and they are going to require something such as a self-assessment. Once the guidance is clear that these are the steps expected from every financial institution, we are going to see a flurry of activity and focus.”

Marshall said Gladiator Technology is gearing up and already created a self-assessment based on the FFIEC's observations; CSI has an evaluation program, too.

“We have developed a cybersecurity risk assessment process where we sit down with [financial institutions] and go through the process,” Leet explained. “We score it and then a member of our team goes on-site and gives their controls a score. So it is a thorough quantitative risk assessment.”

One of CSI's clients, the $1.2 billion Hollywood, Calif.-based First Entertainment Credit Union, understands what's at stake.

“We take securing our members' information very seriously,” Janet Phillips, CIO for First Entertainment CU, explained. “In addition to being a regulatory requirement, conducting the cybersecurity risk assessment helps us identify security needs and prioritize projects to continually enhance our security position against evolving threats.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).