FFIEC Plans Cybersecurity AssessmentsExams Aim to Improve Community Banks' Preparedness
The Federal Financial Institutions Examination Council is planning cybersecurity vulnerability and risk-mitigation assessments to help smaller banking institutions address potential gaps. The effort is expected to begin later this year.
The assessments will help FFIEC member agencies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp., make informed decisions about the state of cybersecurity at community institutions, address gaps and prioritize necessary actions to strengthen supervisory programs, the FFIEC says in a May 7 statement.
The FFIEC's announcement came a day before Thomas Curry, Comptroller of the Currency and chairman of the FFIEC, delivered a speech at the Risk Management Association's Governance, Compliance and Operational Risk Conference that included a reference to new cybersecurity examination procedures the OCC expects to pilot later in the summer.
"To be managed properly, operational risk issues must be viewed in terms of their impact on the entire enterprise, not merely as - to use cybersecurity as an example - an IT Issue," Curry says. "That requires a fully integrated and comprehensive approach to risk management, which is exactly what the OCC's heightened expectations are intended to achieve."
On May 7, the FFIEC held a webinar for CEOs and senior managers of community financial institutions to help raise awareness about the pervasiveness of cyberthreats, as well as to discuss the role executive leadership should play in managing those risks.
Focus on Cybersecurity
In his speech on the need for better risk management, Curry noted the increased sophistication of cyber-attacks.
"While banks have been effective in defending against direct attacks, they have nonetheless sustained large losses - both in dollars and in public confidence - as a result of successful attacks on interrelated third parties, such as major retailers," he said.
He also noted: "I am struck by the increasing level of cooperation among banks to combat cyberthreats and develop effective risk mitigation tactics. That itself represents something of a cultural shift, as banks increasingly recognize that information sharing is not a competitive issue, but rather an essential component of a strategy to protect themselves and the entire financial sector."
The FFIEC, through its Cybersecurity and Critical Infrastructure Working Group, is working with banks and credit unions, as well as their critical service providers, to identify, assess and mitigate cybersecurity risks, Curry said.
Banking institutions' increasing reliance on third parties is an ongoing concern, he added. "If third parties are not vigilant about risk management, their own systems could provide a point of entry for attackers seeking access to the financial system."
Curry also discussed the risks posed by third parties in an April 16 speech (see OCC's Curry: Third-Party Risks Growing).
(Executive Editor Tracy Kitten contributed to this story.)