FFIEC Releases Cybersecurity Questions for CEOs and Directors

The FFIEC has released a list of 20 questions that CEOs and directors should ask themselves concerning their bank’s internal information process and preparedness with respect to cybersecurity risks.

During the summer of 2014, FFIEC member agencies piloted a cybersecurity assessment at more than 500 community institutions to evaluate how well those institutions are prepared to meet cybersecurity risks. This assessment was conducted simultaneously with regularly scheduled exams and evaluated whether banks are meeting key supervisory expectations contained in existing FFIEC information technology handbooks and other regulatory guidance. The 20 questions the FFIEC has now released are based on what the regulators discovered in the assessment.

A major FFIEC conclusion is that “the level of cybersecurity inherent risk varies significantly across various financial institutions.” (In other words, some banks are using appropriate measures, but others really need to step up their game.) With the increasing use of technology in banking in recent years, a typical bank’s security risks have multiplied exponentially. Many banks now face a combined level of information security risk that far surpasses mitigating security strategies that the bank has adopted to control that risk.

It’s not surprising that cybersecurity preparedness at community banks keeps getting more attention. Regulators have focused for quite a while on how community bank CEOs and boards of directors are dealing with information security issues. In a speech last year that heavily emphasized community banks, Thomas Curry, Comptroller of the Currency and chairperson of the FFIEC, explained why regulatory resources are being concentrated more heavily on cybersecurity in community banks: It’s because these institutions may have less sophisticated resources to defend against cyber threats.

The regulators’ cybersecurity assessment earlier this year was not technically part of the exams conducted at the selected banks, but involved much more in-depth questioning about cybersecurity preparedness than banks have experienced in the past. The assessment’s level of detail can certainly be taken as an indicator of things to come, and banks would be well advised to make greater preparations now for an increasing emphasis on cybersecurity in future regulatory exams. The FFIEC’s 20 questions for CEOs and directors are a good start in helping a bank to understand its own level of cybersecurity preparedness.

BankOnIT has prepared an analysis and answers for the FFIEC’s 20 questions, explaining in more detail what the regulators are expecting concerning cybersecurity preparedness and what BankOnIT is doing to help banks meet these standards.

Contact your BankOnIT calling officer to get your copy of this document, or email us at solutions@bankonitusa.com

Link to regulatory release: http://www.ffiec.gov/press/pr110314.htm