Tag: cybersecurity

  • Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

    Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

    Hey Guru! Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC…

  • FFIEC Updates (and Greatly Expands) the Management Handbook

    FFIEC Updates (and Greatly Expands) the Management Handbook

    This latest update to the IT Examination Handbook series comes 11 years after the original version.  And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed.  This new Handbook contains many changes that will introduce new requirements and new expectations…

  • Ask the Guru: Cybersecurity “Risk Appetite”

    Ask the Guru: Cybersecurity “Risk Appetite”

    Hey Guru I saw multiple references to the term “risk appetite” in the FFIEC Cybersecurity Assessment Tool.  What exactly is risk appetite, and how can I address this in my institution? They just released Management Handbook contains 10 new references to “risk appetite”, including a requirement that the Board  has defined the institution’s risk appetite and it’s risk tolerance levels.…

  • FFIEC Releases Cybersecurity Assessment Tool

    FFIEC Releases Cybersecurity Assessment Tool

    UPDATE:  Safe Systems just released their Enhanced CyberSecurity Assessment Toolkit (ECAT) – This enhanced version of the FFIEC toolkit addresses the biggest drawback of the tool; the ability to collect, summarize, and report your risk and control maturity levels.   Once risks and controls have been assessed (Step 1 below), institutions will now be better able…

  • .Bank or .Bust? New Top Level Domain Promises Increased Security (and Plenty of Questions)

    .Bank or .Bust? New Top Level Domain Promises Increased Security (and Plenty of Questions)

    Bankers are being encouraged to register their domain names under the new .bank extension, and although there are reasons to consider making the switch, there are also many questions to answer.  Registration is currently open for institutions with a trademarked domain name.  Open registration begins June 23. First of all, the regulators have not offered an…

  • FFIEC Issues 2 Statements on Cybersecurity

    Both statements address recent cybersecurity threats; one targeting online credentials (passwords, usernames, e-mail addresses that may be used by employees or customers to authenticate themselves), and one addressing destructive malware.  The statements advise specific risk mitigation steps institutions should consider, and I thought it would be instructive to compare the steps to see which are common to…