Date: November 3, 2014
Description: Cybersecurity Assessment General Observations and Statement
The Federal Financial Institutions Examination Council1 (FFIEC), on behalf of its members, today released the “FFIEC Cybersecurity Assessment General Observations” and the “Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement.” These documents address findings from the 2014 Cybersecurity Assessment pilot examination work program. These documents also encourage regulated financial institutions to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Note for Community Banks
“Cybersecurity Assessment General Observations” includes questions for community bank boards of directors and senior management to consider when assessing their cybersecurity risk.
Participation in information-sharing forums is an important element of community banks’ risk management processes and their ability to identify, respond to, and mitigate cyber threats and incidents.
National banks and federal savings associations (collectively, banks) need to understand their inherent cybersecurity risks and consider current practices and overall preparedness, focusing on the following:
- Risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber incident management and resilience
Information sharing is an important element of a bank’s risk management processes and its ability to identify, respond to, and mitigate cyber threats and incidents.
Banks are expected to
- monitor and maintain sufficient awareness of cyber threats and vulnerability information.
- establish procedures for how to evaluate and apply information.
During the summer of 2014, FFIEC members piloted the Cybersecurity Assessment, a cybersecurity examination work program at more than 500 community institutions, to evaluate those institutions’ preparedness to mitigate cybersecurity risks.
Rapidly evolving cyber risks reinforce the need for all institutions and their critical technology service providers to have appropriate methods for monitoring, sharing, and responding to threat and vulnerability information, including participation in the FS-ISAC.
Please contact the Operational Risk Division at (202) 649-6550.
Carolyn G. DuChene
Deputy Comptroller for Operational Risk