First Look: FFIEC Explains New Cybersecurity Assessments

Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+

On Wednesday, the Federal Financial Institutions Examination Council announced plans for cybersecurity risk assessments of banks during a webinar. This closely followed New York State Governor Andrew Cuomo's announcement Tuesday that the state's Department of Financial Services will conduct cybersecurity exams of its banks.

Office of the Comptroller of the Currency spokesperson Stephanie Collins on Friday answered some of our basic questions about the new assessments.

What will these vulnerability and risk-mitigation assessments look like? 

The vulnerability and risk mitigation assessment will consist of a new work program and assessment tool. This new program will be incorporated into community institution examinations this summer and will allow us to develop a baseline assessment across the sector of how they are managing cybersecurity risks. In order to ensure that we comprehensively assess the cybersecurity environment in which financial institutions operate, we also plan to involve a number of the most critical technology service providers.

Will they be standalone exams of banks, like safety and soundness exams?

No. The assessments will be part of the existing safety and soundness examination process and incorporated into the information technology reviews that already occur.

Is there a different model being used?

The assessments are the FFIEC's effort to identify gaps, which will inform future decisions and actions.  The goal is to ensure that all regulated institutions are able to manage cybersecurity risks in line with their complexity and risk profile. 

What should banks be doing to prepare?

The webinar offered several areas that bank management and boards of directors should focus on to help identify and mitigate cyber risks: setting the tone from the top and building a security culture; identifying, measuring, mitigating, and monitoring risks; developing risk management processes commensurate with the risks and complexity of the institutions; aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future; creating a governance process to ensure ongoing awareness and accountability; and ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyber risks.

JOIN THE DISCUSSION

SEE MORE IN

RELATED TAGS

'Dodd-Frank Is Like the TSA': Comments of the Week
American Banker readers share their views on the most pressing banking topics of the week. Comments are excerpted from reader response sections of AmericanBanker.com articles and from our social media platforms.

(Image: iStock)

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.