WASHINGTON A Federal Deposit Insurance Corp. publication on Monday advised banks to include cyber risk in standard disaster-planning and business-continuity exercises as part of general strategic-planning discussions.
"In addition to preparing for natural disasters and other physical threats, continuity now also means preserving access to customer data and the integrity and security of that data in the face of cyberattacks," the agency said in an article in Supervisory Insights, a journal authored by staff of the FDIC's Division of Risk Management Supervision.
The article more generally detailed the importance of bank boards' setting a well-defined and appropriate course for making strategic decisions. While bank profitability is affected by outside forces, the article said, an institution's success in dealing with a shifting environment relies on the preparedness of its leaders.
"External financial trends have an important influence on earnings, of course, but it is bank management that charts the course in the face of those trends and ultimately determines success," the article said.
The authors said "effective planning" should cover a three-to-five year time horizon and be regularly reviewed as economic conditions change.
"Assessing risk involves not only understanding the bank's loans, investments and deposits, but taking a macro view by considering possible adverse changes in the institution's market area or to interest rates," the article says. "When evaluating risk-return tradeoffs, the next key question is whether the bank is positioned for sustained performance given its risk profile."
To simulate cybersecurity scenarios as part of disaster planning, the FDIC said banks could use an assistance video created by the agency known as the "Cyber Challenge" to discuss operational issues arising from an attack. The article also mentioned the "Cybersecurity Assessment Tool" developed by the Federal Financial Institutions Examination Council.