Both statements address recent cybersecurity threats; one targeting online credentials (passwords, usernames, e-mail addresses that may be used by employees or customers to authenticate themselves), and one addressing destructive malware. The statements advise specific risk mitigation steps institutions should consider, and I thought it would be instructive to compare the steps to see which are common to both threats (highlighted in bold).
The statement on compromised credentials lists the following risk mitigation steps:
- Conduct ongoing information security risk assessments.
- Perform security monitoring, prevention, and risk mitigation.
- Protect against unauthorized access.
- Implement and test controls around critical systems regularly.
- Enhance information security awareness and training programs.
- Participate in industry information-sharing forums.
The statement on destructive malware lists the following steps:
- Securely configure systems and services.
- Review, update, and test incident response and business continuity plans.
- Conduct ongoing information security risk assessments.
- Perform security monitoring, prevention, and risk mitigation.
- Protect against unauthorized access.
- Implement and test controls around critical systems regularly.
- Enhance information security awareness and training programs.
- Participate in industry information-sharing forums.
As you can see there is a core set of 6 steps, or controls, that are common to both threats. I’m certain that you can expect them to be a part of the FFIEC cybersecurity self-assessment tool and policy updates when they are released later this year. Forward thinking institutions would be wise to evaluate their cybersecurity controls now and make sure all 6 are in place, up-to-date, and functioning properly.
