The FFIEC issued its general findings from an assessment of over 500 community based financial institutions this summer. In its November 3rd press release1, the FFIEC discussed the growing need for tighter cybersecurity measures and indicated that it was already in the process of reviewing and updating the existing guidelines for managing cybersecurity risk.
The FFIEC assessment focused on two primary areas of risk: determining senior managements’ level of understanding of the inherent risk from cybersecurity threats and vulnerabilities; and, the extent to which institutions were prepared to assess and address those risks.
In reviewing levels of inherent risk the FFIEC encouraged financial institutions to understand the types of connections used to access systems and data; whether certain products and services introduced additional cybersecurity risk to the institution; and, understand the cybersecurity risks associated with the various technologies used to deliver those products and services.
The FFIEC’s assessment of cybersecurity preparedness focused on an institution’s ability to proactively identify/assess cybersecurity risks; the processes and controls in place to address those risks; and, how well an institution managed its cybersecurity exposure at third party service providers.
The updated FFIEC Guidance on cybersecurity risk is expected to encourage financial institutions to develop and maintain dynamic risk control environments that proactively manage cybersecurity threats to the institutions themselves as well as their third party service providers, and to continue the development of sophisticated business continuity and disaster recovery plans. No specific time frame was provided for when the new cybersecurity guidance would be issued. However, in the interim it would be prudent for financial institutions to begin increasing their efforts in the areas focused on by the FFIEC in its Cybersecurity General Observations.