Pub. 4 2015 Issue 9

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 20 F OLLOWINGTHE PILOTCYBERSECURITY EXAMS conducted last summer by the Federal Financial Institutions Examination Council (FFIEC), many banks aren’t sure what to expect at their next IT exam—if that’s indeed where cybersecurity will be addressed—and fear the worst. But, rather than be paralyzed by fear, address the key areas on which federal regulators most likely will focus at exam time by following these five steps: Step 1: Know Your Cybersecurity Risk Profile and Maturity Level What to Expect: Regulatory examiners will now expect banks to have a much better understanding of their cybersecurity risk profile and maturity level. How to Prepare: The key to gaining that understanding and proving it at exam time is the FFIEC’s recently published Cybersecurity Assessment Tool. It’s surprisingly well organized, easy to use and comprehensive. So, using either the FFIEC’s assessment or a comparable tool, complete these tasks: Determine Your Inherent Risk Profile The assessment helps your bank identify its inherent risks in the following key areas and rate them accordingly: • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats Determine Your Cybersecurity Maturity This portion of the assessment gauges whether your bank’s behaviors, practices and processes adequately support your cybersecurity preparedness. It covers the following domains, to which your bank assigns a maturity level based on findings: • Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience Step 2: Limit Your Exposure What to Expect: After Step 1, you should have a clear sense of where your bank is exposed—and you must act to limit that exposure. How to Prepare: This process can take two forms, depending on the area of exposure: Reduce the Level of Risk in Exposed Areas For example, if your bank has too many unnecessary Internet- facing servers, reducing that number can significantly lower its risk of a breach through those servers. Increase the Maturity Level in Exposed Areas Reducing risk may not always be feasible. For instance, limiting customers’ mobile channel options may reduce the bank’s hacking risk, but it also would upset customers, exchanging one risk (breach) for another (lost customers). So, increase the cybersecurity maturity level in that area. Step 3: Include Cybersecurity in Your BCP and Incident Response Plan What to Expect: Following the publication of Appendix J of the FFIEC’s Business Continuity Planning Booklet, regulatory examiners will expect Business Continuity Programs (BCP), including Incident Response Plans, to be updated with cybersecurity references. Appendix J outlines specific cyber risks to consider: 1. Sophisticated malware focused on data corruption and unauthorized financial transactions 2. Insider threats from disgruntled employees or moles planted by cyber criminals 3. Data or systems corruption due to a cyberattack 4. Disruption of communications capabilities and infrastructure due to a cyberattack 5. Simultaneous cyberattacks on financial institutions and their TSPs FIVE STEPS TO PASSING YOUR NEXT REGULATORY IT EXAM By Steve Sanders Continued on page 22