On November 3, the Federal Financial Institutions Examination Counsel (FFIEC) released its cybersecurity assessment. During the summer of 2014, FFIEC piloted a cybersecurity assessment at more than 500 community institutions to evaluate the institutions’ preparedness to mitigate cybersecurity risks. The assessment supplemented regularly scheduled exams and built upon key supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance.
The Cybersecurity Assessment found that the level of cybersecurity inherent risk varies
significantly across financial institutions.Today’s financial institutions are critically dependent on IT to conduct business operations. This dependence, coupled with increasing sector interconnectedness and rapidly evolving cyber threats, reinforces the need for engagement by the board of directors and senior management, including understanding the institution’s cybersecurity inherent risk; routinely discussing
cybersecurity issues in meetings; monitoring and maintaining sufficient awareness of threats and vulnerabilities; establishing and maintaining a dynamic control environment; managing connections to third parties; and developing and testing business continuity and disaster recovery plans that incorporate cyber incident scenarios. As a result, the FFIEC also recommended that financial institutions of all sizes participate in the FS-ISAC as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities. The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.