FDIC on Why Banks Need a Disaster Plan for Cyber ThreatsThe Need to Add Responses to Cyber Risks to Business Continuity Exercises
Federal banking regulators have for the last year been pushing community banks and credit unions to enhance their cybersecurity assessment and risk management strategies.
The Federal Deposit Insurance Corp.'s "Supervisory Insights" summer 2015, published this week, reminds these smaller financial institutions about an online resource they can use to conduct exercises designed to help them prepare to deal with emerging cyber risks.
"In addition to preparing for natural disasters and other physical threats, business continuity now also means preserving access to customer data and the integrity and security of that data in the face of cyber-attacks."
The FDIC's "cyber challenge" program offers a series of videos and exercises to help banks consider appropriate steps for dealing with key threats, including account take-over, malware infections and other risks related to third parties and vendors.
"We have always expected business continuity and disaster recovery considerations to be incorporated in an institution's business model," the report states. "However, in addition to preparing for natural disasters and other physical threats, continuity now also means preserving access to customer data and the integrity and security of that data in the face of cyber-attacks."
That's why FDIC says it "encourages banks to practice responses to cyber-risk as part of their regular disaster-planning and business-continuity exercises."
The FDIC suggests that community bank directors use the cyber challenge program to openly discuss operational risks with their peers and employees and review the potential impact of cyber-attacks and other technology disruptions on their customers and operations.
FDIC's Cyber Challenge
"Cyber Challenge: A Community Bank Cyber Exercise," is available on the FDIC's website. The program includes four real-world attack and cyber-threat scenarios presented in brief videos. After viewing the scenarios, participants are directed to materials that pose questions and possible solutions for banking teams to discuss.
The scenarios include a processing failure; an account takeover incident; a phishing attack that infects a bank's network with malware; and operational problems stemming from an institution's technology service provider performs an update.
Amy McHugh, an attorney and former FDIC examination specialist who now works as a senior IT consultant at CliftonLarsonAllen, tells me that some of her bank and credit union clients say the program has helped them come up with actionable ways to identify and respond to cyber threats.
"The FDIC last year sent FDIC-regulated institutions a folder with cybersecurity information and test scenario material, which matches up with what is on the FDIC website, for them to review and complete as part of incident response/cybersecurity testing," she notes.
One executive with a top-tier institution based on the East Coast says the program is a valuable resource for community banks, which often are not as familiar with emerging cyber-risks as larger institutions and have limited educational resources.
And David Pollino, bank fraud prevention officer at Bank of the West, says the FDIC's program "will certainly be helpful to the chief security officers of smaller banking institutions."
"The videos, in particular, will help make operational risk and the impact of information technology disruptions, such as customer account take-over, real," he says. "The materials can help smaller institutions ensure that they're thinking through the elements of cyber-related issues, in advance, so that they're creating and testing their plans before they may need to deploy one in response to a real customer situation."
But for larger institutions, like Bank of the West, more sophisticated employee training is needed, Pollino says. "As a larger institution, we've created a movie-quality educational video as part of our BCP [business continuity plan] process - we've been using it for a while and we've seen it increase the effectiveness of our employee education," he says. "We've also been working to educate our business customers about the importance of creating and testing their own plans."
In addition to the FDIC's cyber challenge program, banking agencies have offered guidance to help institutions improve their cybersecurity resilience and awareness - a weak point noted last summer during the Federal Financial Institutions Examination Council's piloted cyber exam program that included more than 500 community institutions.
In February, the FFIEC issued new Cyber-Resilience Guidance as part of an appendix it added to its Business Continuity Planning Booklet, which was first issued in March 2003 within the FFIEC's IT Examination Handbook.
And banking regulators have provided the Cyber Assessment Tool, which the FFIEC released this summer to help institutions gauge their risk and cybersecurity improvements. It's designed to help banking institutions of all sizes assess and identity risks and weaknesses in their cybersecurity preparedness programs, and is expected to be incorporated into the regulatory cyber exam process next summer.
Given the many threats they now face, community banks and credit unions should take advantage of all available resources, including the FDIC's Cyber Challenge program.