FDIC & Cyber: Words of Warning to Financial Institutions and their Boards
Financial institutions sit atop a wealth of personal information – not to mention money. In an interconnected world in which sensitive customer information is stored on servers and in the cloud – and online and mobile banking have become the norm – the Federal Deposit Insurance Corporation (FDIC) is the latest federal regulator to warn financial institutions to make cybersecurity a top priority.
This stern message is at the core of “A Framework for Cybersecurity,” the FDIC’s Winter 2015 Supervisory Insights. This latest guidance from the FDIC examines the key cyber threats facing the banking industry and discusses how banks and other financial institutions can address and monitor cybersecurity threats to their organizations.
While the FDIC’s report hardly reinvents the wheel on cybersecurity, it does outline the key elements of a strong security program and provides a summary of the recent cyber materials that have been issued by the FDIC and the Federal Financial Institutions Examination Council (FFIEC) over the past few years.
Here are key takeaways from the FDIC’s report:
1. Cybersecurity is a matter of corporate governance. Corporate governance should be at the core of a meaningful cybersecurity framework. The FDIC explains that “[a] bank should evaluate and manage cyber risk as it does any other business risk.” It is essential for a bank’s board of directors and executive management to be involved in this issue, and to institute a corporate culture that prioritizes cybersecurity and permeates all levels of the corporation. We have previously written about the potential for shareholder derivative actions in the wake of security breaches, and the importance of board involvement with cyber security in getting any such claims dismissed early. This is also important from the FDIC’s perspective.
2. Educate and update. The FDIC has urged institutions to self-evaluate and “assess their own preparedness for a cyber-related incident” in order to identify vulnerabilities. In addition, an organization must have Security Awareness training to educate employees. The FDIC report explains that “[e]mployees from entry-level staff to the board should participate in mandatory cybersecurity awareness training, as one uninformed employee can be the bank’s weakest link.” This training should be specific to different job functions. The FDIC also identifies Patch-Management as a key step in protecting infrastructure against security attacks. These software updates fix vulnerabilities or weaknesses in the applications used by the organization or in the operating system. The FDIC warns that the lack of an effective internal program to fix known vulnerabilities or security weaknesses has contributed to the increase in cyber-attacks. Organizations can use both independent audits and internal reviews in order to determine the effectiveness of patch-management programs. In the FDIC’s view, the board and senior management should require periodic reports on the status of an organization’s patch-management program.
3. Make use of Resources. As part of the FDIC’s ongoing monitoring of cybersecurity risks – through on-site examinations and its own reporting process – the agency has provided resources to help better manage cyber risk. The report reviews these resources, including FDIC’s “Cyber Challenge” – an exercise to help banks assess their preparedness through videos and simulation exercises, and guidance from the FFIEC’s 2014 Security Assessment. Both Appendix B to Part 364 of the FDIC’s Rules and Regulations and the NIST framework provide important tools for organizations to develop effective information security programs and to continually self-assess. The report also encourages financial institutions to share information about vulnerabilities and threats. For example, the FS-ISAC (Financial Services Information Sharing and Analysis Center) has been established as an information-sharing forum in order to facilitate the public and private sector’s sharing of physical and cybersecurity threat information.
The FDIC – like many other regulators – has not been shy about cybersecurity related outreach and enforcement actions. Its guidance and tools are at once a boon to the banking industry and a clear statement of its expectation that cyber is among the top priorities of the institutions that it supervises.