Regulators detail cybersecurity expectations

Bank regulators expect all banks to demonstrate critical cyber risk management in at least four areas: governance, threat intelligence, vendor management, and incident response and resilience.

This was the key message of a recent webinar presented by the Federal Financial Institutions Examination Council, which emphasized that midsized and community banks increasingly are targeted by cyber criminals. Approximately 5,000 CEOs and senior managers attended the webinar, FFIEC says.

“The financial services sector is facing high-impact, high-likelihood threats that will require better risk management. The topic of cyber security can be overwhelming, but getting a grip on these four concepts is a vital first step,” said Chris Olson, supervisory financial analyst for the Federal Reserve Board of Governors, during the presentation. “We need to integrate cyber risk management into business processes as a business-as-usual activity. Regulators want to see evidence that vendor risk is managed over the life of the contract, that threat intelligence is used to inform risk assessments, and, of course, that appropriate governance processes exist.”

Olson provided these key questions that CEOs and other senior managers should ask for each of the four areas:

• Governance—How is the staff at my institution providing me with accurate and timely information about our risks and our ability to mitigate them, so that I can prioritize our resource allocations and inform the board of directors?
• Threat intelligence—How is my organization identifying and monitoring cyber threats and attacks both to my institution and to the sector as a whole? How is this information used to inform my risk assessment process?
• Third-party relationships—How are we managing the third-party relationship risk management life cycle at our institution to ensure that we are selecting the best third parties and identifying, monitoring, and mitigating the risk exposure for third parties?
• Incident response and resilience—How often is my institution testing its plans to respond to a cyber attack? Do these tests include our key internal and external stakeholders?

FFIEC also announced a vulnerability and risk-mitigation assessment as well as regulatory self-assessment of supervisory policies that will be conducted later this year. The assessments will help the FFIEC member agencies make informed decisions about the state of cybersecurity across community institutions and address gaps and prioritize necessary actions to strengthen supervisory programs.

Click here for a copy of the webinar slides