You are here

The Federal Deposit Insurance Corporation (FDIC) recently issued new Cybersecurity Awareness videos and related video vignettes. The first set of videos is intended to provide awareness training to boards and senior management on current cybersecurity threats and what financial institutions should be doing to mitigate those threats. Here are some observations made while watching the videos:

  1. There were numerous mentions in the videos about how cybersecurity threats and controls should be addressed within institutions’ current information security and Gramm-Leach-Bliley Act (GLBA) programs. As we have seen with recent cybersecurity guidance, the Federal Financial Institutions Examination Council (FFIEC) asked institutions to re-evaluate their previously required programs such as Vendor Management, Information Security and Business Continuity Planning to ensure that these new kinds of threats are addressed. The videos conflict with statements we have seen from some state and federal examiners in the field who have requested that institutions create separate cybersecurity programs. While having a separate program would make it very easy for examiners to perform their fieldwork, the creation and maintenance of a new program would cause not only undue burden on institutions but it could also cause a great deal of inefficiency in managing the various programs. 

    That being said, it is still prudent that institutions make it so examiners can see the steps they have performed to address cybersecurity. One way institutions can accomplish this is by creating a document that illustrates how the cybersecurity concerns are being addressed and the areas that have been updated in their information security and GLBA programs. 

    This effort will better inform examiners in the field of the maturity of an institution’s cybersecurity program and will help the institution to avoid creating duplicative policies and procedures.

  2. The FDIC feels that “people and patches” are the biggest threats facing financial institutions. The FDIC expressed that institutions need to find more effective ways to train employees on security awareness and enhance their current patching systems to ensure network systems are running on updated solutions.
     
  3. The videos stress the importance of institutions accessing channels of information that allow them to be up-to-date on cybersecurity threats and incidents. It is recommended that institutions review alerts from the Financial Services Information Sharing and Analysis Center (FS-ISAC) and CERT daily.

    At a minimum, institutions should develop a process that can serve as evidence that they are reviewing these alerts daily and that allows them to receive the right information they need to address new threats.

  4. The videos discuss how each institution’s independent IT Audit Plan should contain elements of cybersecurity testing such as social engineering testing as well as penetration and vulnerability assessments. Institutions should make sure these elements are visible in their current plan.

The second set of videos are vignettes of cybersecurity situations that can easily occur at any institution. The FDIC recommends that institutions review the videos with their Business Continuity or Incident Response teams and discuss not only the ways they would handle the various crises, but also if they are adequately trying to prevent the situations from occurring in the first place.

Resources 
Cybersecurity Awareness Videos
Cyber Challenge Vignettes

For assistance with your cybersecurity program, please contact Matthew J. Putvinski, CPA, CISA, CISSP, Director of IT Assurance Services, at 617-428-5479 or mputvinski@wolfandco.com