FFIEC Details How Banks Must Manage Cyber Risk

The Federal Financial Institutions Examination Council has released updated cybersecurity guidance for bank examiners.

In the revised "information security" section of its handbook for examiners, the FFIEC details how financial institutions are expected to manage cybersecurity risk.

Banks are expected to manage their information technology risk at several levels, the council said in a statement Friday. Those range from "risk identification" to "risk measurement" to "risk mitigation" and "risk monitoring and reporting."

Banks are also encouraged to develop effective responses to threats and incidents.

The guidance will "help examiners measure the adequacy of an institution's culture, governance, information security program, security operations, and assurance processes," the FFIEC said.

The FFIEC is made up of the heads of the Federal Reserve, the Federal Deposit Insurance Corp., the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency, the National Credit Union Administration. The council helps coordinate bank examinations.

In June, the interagency organization urged banks to "actively manage the risks associated with interbank messaging and wholesale payment networks," in light of recent Swift breaches that led to the cybertheft of $81 million from Bangladesh's central bank.

For reprint and licensing requests for this article, click here.
Law and regulation Cyber security Bank technology Exams
MORE FROM AMERICAN BANKER