Cybersecurity is not a new subject to the financial industry.  The concerns related to security of data, breaches of security that have been publicized and expensive for many corporations, and the impact it has had on many individuals make this an issue that is real, personally and professionally for everyone.

The emphasis in the financial sector has increased dramatically in the past year, and seems to have reached a crescendo in the past month.  On June 30^th, which now seems fortuitous in an unfortunate way, the FFIEC released its Cybersecurity Assessment Tool.1  The timing coincided with the OCC release of its Semiannual Risk Perspective.  While the FFIEC publication was solely focused on Cybersecurity, even the OCC noted in its single page on operational risk that they considered operational risk level elevated, due to "greater interconnectedness and interdependencies, increased sophistication of cyber threats, and pervasive technology vulnerabilities."2  The GAO also weighed in on the subject on July 2^nd, publishing a report on cybersecurity at banks and other depository institutions, indicating that most regulators lacked information that would enable them to better assess information security during their reviews.  According to this GAO report, the regulators had already begun to take steps to educate their staffs on current information technology issues.3

As if on cue, July 8^th saw a trio of high profile outages which led many to question if there was a broad scale cyber-attack in action.  The NYSE saw trading shut down for three hours in what they subsequently reported as a 'technical issue' related to a failed upgrade.  United Airlines had all flights grounded for two hours that morning due to a 'network connectivity issue' which impacted its passenger reservation system.  The Wall Street Journal lost its' cyber connection to readers when its' homepage went down for a period of time that day.  Reporters quickly took the question to the White House, with the press secretary addressing this topic in between questions about Greece and Bill Cosby's Medal of Freedom.  At this point the Department of Homeland Security continues to indicate 'no signs of malicious activity' and so the conclusion would be that these types of outages actually will happen more regularly if the standards for security systems are not improved.

Other organizations have been focusing on cyber security as well.  In February, FINRA published a report on Cybersecurity Practices, and the report included results of a survey they conducted regarding the top cyber risks financial services organizations were facing.  Not surprisingly, the top concern was hackers penetrating systems.4  The New York State Department of Financial Services published a report last year that referred to a 2013 survey they conducted of 154 institutions on cyber security.  In it they identify five key pillars of an effective Information Security Framework.5 They are:

1. A written information security policy
2. Security awareness education and employee training
3. Risk management of cyber-risk, inclusive of identification of key risks and trends
4. Information security audits
5. Incident monitoring and reporting

What the FFIEC document provides is a tool for banks to incorporate all the best practices, as well as the regulatory guidance, to appropriately address the cyber-risk concern for their institution.  They have presented their assessment tool in two parts.  One section addresses the risk profile of the institution, and one addresses the maturity of the institutions' current controls and processes.  Steps are laid out for bank management to follow to enhance their oversight of the risk that exists relative to cybersecurity for their institution.  Responsibilities of the CEO and the board of directors are listed in conjunction with the conclusions management will present based on their efforts. 

Having been given these clearly identified instructions on what regulators expect, it is imperative that institutions of all sizes incorporate these elements into their risk management plans and risk appetites.  Devoting resources to not only the avoidance of DDoS/Denial of Service events, but actual data breaches is of course imperative.  Doing this in a structured and thorough way, based on proven industry standards, will be expected going forward.  Risk management staff should consider this FFIEC framework for any program they expect to present successfully to their regulators, and build on this foundation as they work to prevent a cyber-event at their institution.

Footnotes: