Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder. In this video, we’re going to cover:
- Timeline of cybersecurity becoming a focus for examiners
- The issues at play
- Different ways your financial institution can comply
Timeline: How Cybersecurity Has Become a Focus for Examiners
- June 2013: The Federal Financial Institutions Examination Council, or FFIEC, established Cybersecurity & Critical Infrastructure Workgroup.
- May 2014: The FFIEC announced plans for cybersecurity assessments to be included in the IT examination process.
- June 2014: Examiners ran a pilot program for cybersecurity examinations at 500 community banks and credit unions to determine if boards and executives were prepared for cyber resilience.
- June 2015: The FFIEC released its Cybersecurity Assessment Tool. This is currently a voluntary tool for self-assessment and sometimes used as part of the IT examination process. This is discussed in detail in our Third Party Thursday video FFIEC Cybersecurity Assessment Tool.
- November 2015: The FFIEC updated its Information Technology Examination Handbook with a focus on IT governance for boards of directors, risk management for operational risks and IT risk management.
- April 2016: The FFIEC added an appendix to its Information Technology Examination Handbook, Mobile Financial Services, focusing on the risks posed by mobile applications, mobile websites, wireless payment and SMS.
- December 2016: New York became the first state to create a cybersecurity regulation to protect consumer data and financial systems. This impacts financial institutions operating in New York. After a couple of rounds of revisions and strong opposition from parts of the industry, the regulation became effective March 1, 2017.
Cybersecurity will be a focus for examiners in 2017. Now is the time to prepare if you haven’t begun already.
The Issues at Play
- Satisfying Regulators: How will you comply with the focus on cybersecurity of your vendors?
- Casually ask your vendors?
- Check in once a year to request updated documents?
- Assume/trust they have it covered?
- Protecting Your Future: When (not if) a breach or other business impacting event happens at or is caused by one of your vendors, how much will it cost your institution...
- In dollars?
- In reputation?
- In lawsuits?
- In lost customers?
- In internal effort?
How to Prepare
- Understand the Inherent Risk: Financial institutions need a solid methodology to identify inherent risk from cyber threats. Start by defining the following:
- Connection types and the flow of information
- Products and services offered
- Technologies implemented
- Prepare Your Controls: Once a solid understanding of inherent risks has been identified and documented, financial institutions need to focus on risk mitigating controls. The FFIEC highlights the following areas:
- Risk Management and Oversight: involves governance, allocation of resources as well as training and awareness of employees.
- Threat Intelligence and Collaboration: the acquisition and analysis of information to identify, track and predict cyber capabilities, intentions and activities that offer courses of action to enhance decision making.
- Cybersecurity Controls: controls can be preventive, detective or corrective.
- External Dependency Management: includes the connectivity to third party service providers, business partners, customers or others and the financial institutions’ expectations and practices to oversee these relationships.
- Cyber Incident Management and Resilience: involves incident detection, response, mitigation, escalation, reporting and resilience.
Different Ways Your Financial Institution Can Comply
- Outsource: There are new tools on the market that offer affordable, continuous and highly informative monitoring of your vendor’s actual versus documented security posture. One such tool is SecurityScorecard, a Venminder partner.
- In-House: You may have someone on staff that understands how to assess and monitor your vendors for cybersecurity preparedness. Suggested qualifications for this function would be staff with a CISSP certification or an equivalent number of years in IT/Information Security experience.
Ensure the staff member has the time and tools available to monitor on a continuous basis since cybersecurity is a continuous threat. Remember that snapshot or point in time reviews create gaps and increase your risk.
In this video we’ve covered a short history of how we got to where we are today, impacts to financial institutions and a few things you can do about it. Again, I’m Aaron Kirkpatrick and thank you for watching! If you haven’t already, subscribe to the Third Party Thursday series.