On Wednesday, the Federal Financial Institutions Examination Council announced plans for cybersecurity risk assessments of banks during a webinar. This closely followed New York State Governor Andrew Cuomo's announcement Tuesday that the state's Department of Financial Services will conduct cybersecurity exams of its banks.
Office of the Comptroller of the Currency spokesperson Stephanie Collins on Friday answered some of our basic questions about the new assessments.
What will these vulnerability and risk-mitigation assessments look like?
The vulnerability and risk mitigation assessment will consist of a new work program and assessment tool. This new program will be incorporated into community institution examinations this summer and will allow us to develop a baseline assessment across the sector of how they are managing cybersecurity risks. In order to ensure that we comprehensively assess the cybersecurity environment in which financial institutions operate, we also plan to involve a number of the most critical technology service providers.
Will they be standalone exams of banks, like safety and soundness exams?
No. The assessments will be part of the existing safety and soundness examination process and incorporated into the information technology reviews that already occur.
Is there a different model being used?
The assessments are the FFIEC's effort to identify gaps, which will inform future decisions and actions. The goal is to ensure that all regulated institutions are able to manage cybersecurity risks in line with their complexity and risk profile.
What should banks be doing to prepare?
The webinar offered several areas that bank management and boards of directors should focus on to help identify and mitigate cyber risks: setting the tone from the top and building a security culture; identifying, measuring, mitigating, and monitoring risks; developing risk management processes commensurate with the risks and complexity of the institutions; aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future; creating a governance process to ensure ongoing awareness and accountability; and ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyber risks.