Should Banks Expect New Cybersecurity Guidance?Experts Say FDIC Publication Suggests No Formal Action Coming
How will federal banking regulators respond to growing criticism of the Cybersecurity Assessment Tool issued by the Federal Financial Institutions Examination Council?
There is no formal response yet, but the Federal Deposit Insurance Corp. has issued a new publication that leads some banking and security experts to believe no new guidance is forthcoming.
In its winter edition of Supervisory Insights, the FDIC's Division of Risk Management Supervision provides a synopsis of cybersecurity guidance, tools and best practices - all of which is meant to hammer home the point that regulatory examiners will continue to scrutinize whether banking institutions are carrying out these recommendations.
Al Pascual, head of fraud and security at Javelin Strategy & Research, is among those predicting that, based on the issuance of the synopsis, no new guidance is on the way. Instead, examiners likely will continue to use the FFIEC's Cybersecurity Assessment Tool, even though its use is supposedly voluntary.
"They cite a wealth of information and resources available to FIs [financial institutions] for managing cyber risk," he says. "It would seem to me, in keeping with sound regulatory practice, that the FDIC would not further raise the compliance burden of FIs, especially on such a fast-moving topic, if there is timely information elsewhere that they are implicitly standing behind."
Amy McHugh, an attorney and former IT examination analyst with the FDIC who now works as a banking consultant for CliftonLarsonAllen, notes: "This is an interim response to the issues raised recently by the industry about the lack of guidance. Instead of providing additional guidance, they just summarized previous information."
Criticisms of Cyber Assessment Tool
In recent weeks, bankers have been critical of examiners' use of the FFIEC's Cybersecurity Assessment Tool because its use is supposed to be voluntary (see Banks to FFIEC: Cyber Tool is Flawed).
But McHugh says it's likely the tool will continue to be used during the examination process, even though this most recent edition of the FDIC's Supervisory Insights suggests banks should rely more heavily on the National Institute of Standards and Technology Cybersecurity Framework.
"Use of the [NIST] cybersecurity framework is not intended to replace a bank's traditional information security program, but rather modify the program to address emerging cyber risks," according to the article, which is credited to Michael B. Benardo and Kathryn M. Weatherby of the Cyber Fraud and Financial Crimes Section of the FDIC's Division of Risk Management Supervision. "A bank's information security program should evolve as the operating environment and the threat landscape change. An effective information security program is not static and should be regularly evaluated and updated."
Bank management must incorporate the cybersecurity principles noted in the NIST framework into the bank's overall risk-management framework, the authors note in their synopsis.
McHugh contends, however, that while using the NIST framework as a guidepost for security makes sense, most of the regulatory examiners that are currently evaluating the cybersecurity soundness of banking institutions are less familiar with than they are the Cybersecurity Assessment Tool.
"The CAT [Cybersecurity Assessment Tool] will continue to be a discussion point in exams for 2016," she says. "If they have the time, I would recommend FIs [financial institutions] begin familiarizing themselves with the NIST framework but focus on the CAT for this year."
Matt Neely, director of strategic initiatives and management consulting at financial consultancy and compliance firm SecureState, says regulators' mention of the Cybersecurity Assessment Tool "continues to show the importance of this tool."
"More so, it further hints to the fact that this tool is more mandatory than optional," he adds. "We have seen more regulators using this tool during their audits, which in the past hasn't been regarded as requirement."
The FDIC's Division of Risk Management Supervision's release of the synopsis suggests that banking regulators want to make sure existing guidelines, tools and best practices are being applied, Neely says. "For example, we are seeing that more of our clients are needing to do more in-depth security testing on their Web and mobile applications, because past testing was deemed as failing to meet requirements," he says.
12 Regulatory Actions, Resources of Note
The FDIC synopsis points to 12 key regulatory actions and resources:
- FFIEC's statement on cyberattacks involving extortion.
- FFIEC's Cybersecurity Assessment Tool.
- FFIEC's statement on destructive malware.
- FFIEC's statement on cyberattacks compromising credentials.
- FFIEC's statement on cybersecurity threat and vulnerability monitoring and sharing.
- Cybersecurity awareness technical assistance videos designed to educate bank directors about cybersecurity risks and risk management programs aimed at educating the board.
- A vendor management technical assistance video, to be released in early 2016, that's designed to help bank directors with understanding the responsibilities they have for governing a vendor risk management program.
- Cyber Challenge: A Community Bank Cyber Exercise, the FDIC's simulation exercise designed to get community banks talking about operational risks and the impact of IT disruptions on common banking functions.
- Corporate governance technical assistance video, a review of corporate governance principles vital to a director's role at a bank.
- An information technology technical assistance video aimed at improving bank directors' awareness of effective risk management practices.
- FFIEC Webinar: "Executive Leadership of Cybersecurity: What Today's CEOs Need to Know About the Threats They Don't See".
- "Strengthening the Resilience of Outsourced Technology Services," an appendix to the Business Continuity Planning IT Booklet.
Cybersecurity attorney Chris Pierson, who also serves as CISO of payments and invoicing provider Viewpost, says the FDIC wants to reiterate that cybersecurity controls and governance are top priorities.
"It seems less likely that wholly new guidance will be out, but, rather, that the FDIC and other prudent regulators (e.g., the Federal Reserve, OCC) are communicating that all the guidance is available, and for banks to take action on these risks and controls."