Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
By Tom Hinkel In Hot Topics

FFIEC Issues 2 Statements on Cybersecurity

Both statements address recent cybersecurity threats; one targeting online credentials (passwords, usernames, e-mail addresses that may be used by employees or customers to authenticate themselves), and one addressing destructive malware.  The statements advise specific risk mitigation steps institutions should consider, and I thought it would be instructive to compare the steps to see which are common to both threats (highlighted in bold).

The statement on compromised credentials lists the following risk mitigation steps:

  • Conduct ongoing information security risk assessments.
  • Perform security monitoring, prevention, and risk mitigation.
  • Protect against unauthorized access.
  • Implement and test controls around critical systems regularly.
  • Enhance information security awareness and training programs.
  • Participate in industry information-sharing forums.

The statement on destructive malware lists the following steps:

  • Securely configure systems and services.
  • Review, update, and test incident response and business continuity plans.
  • Conduct ongoing information security risk assessments.
  • Perform security monitoring, prevention, and risk mitigation.
  • Protect against unauthorized access.
  • Implement and test controls around critical systems regularly.
  • Enhance information security awareness and training programs.
  • Participate in industry information-sharing forums.

As you can see there is a core set of 6 steps, or controls, that are common to both threats.  I’m certain that you can expect them to be a part of the FFIEC cybersecurity self-assessment tool and policy updates when they are released later this year.  Forward thinking institutions would be wise to evaluate their cybersecurity controls now and make sure all 6 are in place, up-to-date, and functioning properly.

Print Friendly, PDF & Email

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Print
controls cybersecurity FFIEC malware Risk Assessment

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Related Articles

  • Looking Ahead to 2021
    A Look Back at 2020 and a Look Ahead to 2021: A Regulatory Compliance Update
  • Ask the Guru – Can We Apply Similar Controls to Satisfy Both GLBA and GDPR
    Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

Leave your comment Cancel Reply

You must be logged in to post a comment.

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright © Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+