FFIEC Releases Two Statements on Cybersecurity

Regulators are continuing to emphasize that bank CEOs and directors must understand the risks
they are undertaking with regard to cyber security, the same as understanding credit, liquidity and
other risks inherent in banking.

The FFIEC released two statements on March 30 outlining detailed steps that banks should use to
guard against and to recover from cyber attacks. These FFIEC releases, entitled “Destructive Malware” and “Cyber Attacks Compromising Credentials,” emphasize requirements that are already contained in the FFIEC Information Technology Examination Handbook. The FFIEC is highlighting these specific regulatory expectations because some banks are either not aware of or are just not satisfying what is required. Banks should carefully study these directives, and take appropriate action to comply.

Being adequately protected against a cyber attack is not optional, but many banks lack the
capability internally to meet the FFIEC’s expectations in this area. When a bank cannot effectively
provide on its own what the regulators require, it’s appropriate to and a competent vendor with that
capability.

Some bankers want information security to be a once-and-done event: “We adopted a policy. We
set up a committee. We bought new computers. Our I.T. person comes in to fix things. So we should
be good.” Actually, that’s only the beginning.

A bank and its third-party vendors must continue to adjust many procedures and systems in order
to maintain good information security. New cyber threats and new security vulnerabilities are
constantly appearing, even after good technology has been implemented.

It’s not much of an exaggeration to consider cybersecurity as being a “war” with many unknown
enemies, who attack at unexpected times and from every possible direction, constantly trying new
tactics. To fight these threats, a bank must be ready and able to strengthen its defenses whenever
and wherever an enemy is likely to focus its attack.

The FFIEC’s release summarizes eight actions that each bank should carry out. None of these is a
one-time event. Each process must occur continually, or at least be repeated frequently, because a
bank’s information security environment never stops changing:
1. “Securely configure systems and services.”
2. “Review, update, and test incident response and business continuity plans.”
3. “Conduct ongoing information security risk assessments.”
4. “Perform security monitoring, prevention, and risk mitigation.”
5. “Protect against unauthorized access.”
6. “Implement and test controls around critical systems regularly.”
7. “Enhance [employee] information security awareness [regarding safe online practices]
and training programs.”
8. “Participate in industry information-sharing programs.”
Some required functions, such as live monitoring and rapid response to a detected security event,
require staffing at a level that a community bank simply cannot provide effectively.

With 24 hour staffing, around the clock live monitoring and over 100 technical, banking and legal
professionals on staff BankOnIT provides community banks the security, regulatory, reliability and
efficiency components that are needed to make I.T. easier for you, allowing you to focus on running
your bank.

(1) http://www.ec.gov/press/pr033015.htm