This summer, the Federal Financial Institutions Examination Council (FFIEC), made up of the FED Board of Governors and FDIC, among others, conducted a Cybersecurity Assessment at over 500 community financial institutions to evaluate their ability to handle cyber risks. While the data is still being analyzed in order to assist with future guidance and regulations, last month the FFIEC Cybersecurity Assessment’s “General Observations” were released.
What is striking about the General Observations, which are not to be construed as guidance, is that they call out “the board of directors and senior management” of financial institutions, telling them to become actively engaged, to understand the risks, and to discuss issues “routinely.” So, while companies are waiting for new guidance, the FFIEC went out of its way to say that the new data “reinforces the need for engagement by the board of directors and senior management.”
For now, as we wait for new guidance, management is well advised to remain actively engaged in the six discrete areas carefully noted in the Summary:
- understanding the institution’s cybersecurity inherent risk;
- routinely discussing cybersecurity issues in meetings;
- monitoring and maintaining sufficient awareness of threats and vulnerabilities;
- establishing and maintaining a dynamic control environment:
- managing connections to third parties; and
- developing and testing business continuity and disaster recovery plans that incorporate cyber incident scenarios.