Regulators Planning Cybersecurity Assessments for Banks

The Federal Financial Institutions Examination Council (FFIEC) announced last week that it will work harder to try to identify vulnerabilities in smaller community banks and is planning to better raise awareness when it comes to cyber threats.

A government agency in charge of developing standards for the nation’s banks announced last week that it will work harder to try to identify vulnerabilities in smaller community banks and that it’s planning to better raise awareness when it comes to cyber threats.

The Federal Financial Institutions Examination Council (FFIEC), a group responsible for developing banking standards and principles, announced its plans last week during a webinar for 5,000 bank CEOs and managers.

In the talk, called “What Today’s CEO Needs To Know About the Threats They Don’t See,” (.PDF) the group stressed it needs to build a “security culture” in order to identify, measure, mitigate and monitor risks in their industry.

To foster that culture, the FFIEC announced it will be implementing a new vulnerability and risk-mitigation assessment as well as a regulatory self-assessment of supervisory policies and processes later this year. According to the group, after a short pilot phase, both tests will be in place by later this year. They’ll help “address gaps and prioritize necessary actions” in order to fortify the strategies small banks already have in place when it comes to risk management.

According to Stephanie Collins, a spokesperson with the Office of the Office of the Comptroller of the Currency, the assessments will be included in the existing safety and soundness examination process and also shoehorned into the information technology reviews.

Collins, who discussed the plans with American Banker on Friday, it will “ensure that all regulated institutions are able to manage cybersecurity risks in line with their complexity and risk profile.”

The group is also in the middle of developing what it’s calling a security toolkit for small banks and a mentorship program that will link small banks to big banks to discuss cybersecurity issues.

Much like it did in April earlier this year, during the webinar the group made reference to organized cybercrime, including the “large dollar value” ATM cash out scheme Unlimited Operations that netted some attackers $40 million in 2012. The FFIEC cautioned banks early last month to be aware of the risks associated with distributed denial of service (DDoS) attacks and warned about the rampant ATM fraud the group had seen over the past several years.

The group also used last week’s webinar as an opportunity to discuss a recent talk the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) Community Institution Council held regarding ATM machines as they relate to Windows XP, which of course, Microsoft recently ended support of.

For bankers not yet familiar, Bill Nelson, the President and CEO of FS-ISAC, pointed out that 95 percent of ATMs run XP and stressed that officials from the Community Institution Council are continuing to share strategies on how to extend ATM maintenance in the face of depreciating and increasingly targeted software.

The FFIEC oversees a handful of institutions, chief among them the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA).

The announcement came a day before Thomas J. Curry, the group’s Chairman and Comptroller, spoke at the Risk Management Association’s Governance, Compliance, and Operational Risk Conference in Cambridge, Mass. Curry pointed out during a speech (.PDF) that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of my top priorities and that the FFIEC’s Cybersecurity and Critical Infrastructure Working Group, which he formed last summer, is going to spearhead this new assessment initiative.

The FFIEC’s presentation happened to come just two days after a similar report was issued by the New York Department of Financial Services that also called for better bank cybersecurity preparedness.

That report (.PDF), released by New York governor Andrew Cuomo, examined the state of cyber security in the Empire State’s banking sector and made clear that New York will implement metrics for cybersecurity preparedness in the near future.

Suggested articles