Patrick Doring and Greg Strom contributed to this article.
Strong cybersecurity controls continue to be extremely important due to the frequency of cyber attacks and the severity of losses that could result from a control breakdown. Headlines remind us almost daily of the ever-present and evolving cybersecurity risks facing financial institutions. State-sponsored hackers, botnets, distributed denial of service attacks, account takeovers, ransomware and good old-fashioned viruses are just a few of the threats you need to consider when evaluating your organization’s risk and preparedness.
This article will discuss some of the common challenges illustrated in examination findings, highlight some measures you can take to proactively strengthen those areas in your organization and give a brief overview of how the Federal Reserve Bank of Minneapolis assesses cybersecurity risk.
Common examination findings
Cybersecurity risk assessments
We have observed many institutions in which management has not adequately assessed cybersecurity risk applicable to their organization nor appropriately communicated results and related action plans to the board of directors.
One effective tool bankers can use to conduct cybersecurity risk assessments is the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT).1 The CAT is useful in identifying cybersecurity risk and determining the maturity level of a bank’s cybersecurity preparedness. The baseline maturity level in the tool is characterized as meeting the minimum expectations required by law and regulations or recommended by supervisory guidance. We encourage you to utilize the CAT in completing this assessment, but it is not a supervisory requirement and you may use another method.
Many banks are adopting virtualized and/or cloud technologies and often outsource work to third parties to install, configure and even manage these systems. The technologies allow banks to decrease costs and increase efficiency by reducing the need for physical servers and data center space. Virtualization allows multiple servers and applications to run on a single piece of physical hardware, while cloud computing uses virtualization to deliver shared computing resources—as a service and on-demand over the internet. We have noted a number of instances in which controls were not properly configured, documented or understood by the bank, and oversight of critical vendors was inadequate.
Examiners look for documentation and independent validation of security configurations and access levels for virtualization and cloud technologies. We also check for formalized vendor oversight programs, including defined data and hardware ownership, ongoing monitoring and reporting processes and data privacy expectations.2
In today’s environment, it is commonly held that the likelihood of preventing every type of cyber incident is close to zero. Sound resiliency planning, including incident response, business continuity and disaster recovery plans, is essential to mitigate the impact of a cyber incident on your organization. However, we continue to identify instances of outdated or inadequate business resiliency planning and testing.
Bankers can strengthen their organization’s resiliency by ensuring plans are up to date and can be used for a wide range of events, including potential cyber events. Ensure that staff, management and vendors are aware of the plans and their responsibilities related to the plans. Test the plans periodically and include critical vendors, senior management, and both information technology (IT) and business line personnel.
Effective plans go beyond traditional disaster recovery testing, include tests throughout the year and incorporate a variety of scenarios such as tabletop exercises for potential cyber incidents. Your board of directors will want to hear the results and lessons learned, given the importance of this topic.
How do examiners assess your cybersecurity readiness?
The Federal Reserve System is now using the Information Technology Risk Examination (InTREx) Program for planning and conducting IT examinations at Reserve Bank–supervised financial institutions. InTREx is a collection of examination workpapers and modules used to assist in completing IT examinations. The FDIC is also using InTREx.3
InTREx is scalable, allowing examiners to use it for noncomplex as well as complex institutions. InTREx starts with a standardized IT risk profiling to determine the inherent risk rating and risk level. Based on the inherent risk level, examiners will include InTREx work programs and modules to appropriately assess risks in the IT examination scope.
InTREx requires an assessment of cybersecurity preparedness that ties to baseline controls identified in the CAT. In addition, InTrex guides examiners through an assessment of Section 501(b) of the Gramm-Leach-Bliley Act. Upon completion of the core modules, examiners will assign IT composite and component ratings based on the Uniform Rating System for Information Technology (URSIT).4 The Report of Examination contains results from the assessment and any Matters Requiring Attention identified during the review.
1 FFIEC Cybersecurity Assessment Tool, “Overview for Chief Executive Officers and Boards of Directors,” June 2015
2 SR 13-19 / CA 13-21, “Guidance on Managing Outsourcing Risk,” December 2013
3 FDIC FIL -43-2016, “Information Technology Risk Examination (InTREx) Program, Enhanced Information Technology and Operations Risk Examination Procedures,” June 2016
4 SR 99-8, “Uniform Rating System for Information Technology,” March 1999