FFIEC Guidelines Gives More Details on Cybersecurity Initiatives

New business continuity guidelines from the Federal Financial Institutions Examination Council give more details on the cybersecurity initiatives banks and credit unions will be asked to address during upcoming examinations.

These new guidelines are likely the result of the FFIEC’s cybersecurity assessment program that was piloted at 500 community institutions last summer.

Business Continuity

On Feb. 6, the FFIEC added a 16-page appendix to its Business Continuity Planning booklet. The new appendix, “Strengthening the Resilience of Outsourced Technology Services,” specifically addresses key cybersecurity risks including:

-Distributed denial-of-service attacks

-Increased due diligence of third parties

-Infrastructural interdependencies

Regulators have been addressing these issues with banking leaders for months but this appendix marks the first time the term cyber-resilience has been included. Cyber-resilience is defined as: an organization’s ability to withstand a cyber-attack by minimizing the disruption or impact that attack has on its ability to conduct business.

The term was added to address the changing threats and vulnerabilities financial institutions face. That said, the fundamental controls that are discussed in the appendix are not new and have been addressed before. The OCC, along with the FFIEC member agencies, have and will continue to emphasize the importance of comprehensive resilience and security controls for financial institutions.

This is the first step for the new cybersecurity/risk guidance; cybersecurity concerns surrounding third parties and banking institutions’ internal defenses are the most important elements of the cyber-exam results.

If you have questions about your institutions cybersecurity and cyber-resilience, call ITPAC today.