Cyber-attacks are escalating at an unprecedented pace with frightening veracity. Successful attacks not only result in major service disruptions and theft of data, but also the appropriation of infrastructure to perpetuate attacks on others. According to Forbes, the average loss per incident is up 23% year-over-year, and that the number of organizations reporting losses of more than $10 million per incident is up 75% from just two years ago.
Cyber-attacks have the potential to impact our national security, economic growth and consumer confidence. Every financial institution, regardless of size or geographic location is a potential target. Preparing for and responding to this growing threat is an executive responsibility.
Transition from Information Security to Cybersecurity
Traditional bank centric information security programs have centered on protecting customer information as required by the Gramm-Leach-Bliley Act (GLBA) and codified in the Interagency Guidelines Establishing Information Security Standards. GLBA is now 15 years old. Long gone are the days when financial institutions operated solely within four walls. Today, every institution utilizes the Internet to deliver innovative services, expand geographic reach, and attract new customers. The proportion of electronic versus traditional banking transactions is growing rapidly. In many cases, the products and services are owned, managed, and maintained by third parties
This interconnectedness as well as the motivation of cybercriminals and cyber terrorist organizations to steal, disrupt, and cause harm means that banks must expand their current information security program.
Cybersecurity expands the traditional definition of information security to include the protection of all systems and data, both internal and externally facing, as well as the evaluation of both internal and external threats.
Cybersecurity Examination Announcement
In May of 2014, the Federal Financial Institutions Examiners Council (FFIEC) Cybersecurity and Critical Infrastructure Working Group, whose members include the FDIC, FRB, OCC, NCUA and the CFPB, announced their intention to expand examinations to include an assessment of cybersecurity risk management and resiliency. In conjunction with this announcement, the FFIEC reinforced the expectation that senior management and boards of directors must provide cybersecurity leadership, align business and cybersecurity strategy, and create a governance process to ensure ongoing awareness and accountability.
Setting the Tone from the Top
During the summer of 2014, the FFIEC member agencies piloted a cybersecurity examination work program at over 500 community financial institutions with the objective of evaluating preparedness to mitigate cyber risks. They found that the level of preparedness varied significantly across institutions of various sizes and charters. Not surprising, the common denominator for institutions that fared well was executive awareness of cybersecurity threats. Executives and boards of directors set policy, approve budget and provide leadership. Setting the tone from the top is essential. It cannot be stressed enough that cybersecurity risk management is not an IT issue. It is an organizational imperative.
Ensure your Cyber Resiliency
Financial Institutions must have a framework and methodology in place to evaluate their cybersecurity posture, implement appropriate controls, and communicate cybersecurity and cyber resiliency requirements. While not mandatory, there is an expectation that financial institutions will utilize the FFIEC Cybersecurity Assessment, based on the NIST Cybersecurity Framework, as a way to measure cybersecurity readiness and resilience, as well as create a cybersecurity roadmap. Use of this voluntary Framework is the next step to improving the cybersecurity of our Nation’s critical infrastructure, adhering to regulatory expectations, and honoring the public trust.
Executive Cybersecurity Readiness Program Now Available!
In response to the escalation of cyber-attacks, Sage Data Security has designed an Executive Cybersecurity Readiness Program specifically for Executive Management and Boards of Directors. The subscription program includes educational briefings, quarterly threat and regulatory updates, cybersercurity resilience assessment, facilitated incident response exercises, and priority incident response services.
Image courtesy of stockimages at FreeDigitalPhotos.net.