Category: Hot Topics

  • Misuse, Denied Access, and Incident Response

    Misuse, Denied Access, and Incident Response

    It may be a good time to review your Incident Response Plan and determine if additional clarification regarding the term “misuse” should be added to incorporate denial of access to information. The FFIEC Information Technology Examination Handbook for Information Security was published in September 2016 and refers to misuse as “attacks from within the organizations”. […]

  • FFIEC Issues Joint Statement on Cyber Insurance

    FFIEC Issues Joint Statement on Cyber Insurance

    The statement is here, and is intended to provide additional awareness about the possible use of cyber insurance to off-set financial losses resulting from cyber incidents. Here are a few high-level observations: First of all, we’ve seen several announcements from various organizations stating that “the FFIEC has released new guidance…”. The statement makes it clear […]

  • Cybersecurity – Beyond the Assessment

    Cybersecurity – Beyond the Assessment

    The FFIEC Cybersecurity Assessment Tool has been out since 2015, and by now almost all financial institutions have completed it at least once, some as many as 3-4 times. Although most of the examiner feedback we’ve gotten indicates that simply completing is all regulators are looking for at this time, the FFIEC made it clear […]

  • FFIEC Cybersecurity Assessment Tool Update

    FFIEC Cybersecurity Assessment Tool Update

    The FFIEC recently released a long-awaited update to the Cybersecurity Assessment Tool, and we think overall it is a relatively minor but useful evolution. But before we get into the details of what the update does address, it’s important to note that it did not address the ambiguity issues that plague the current assessment. One […]

  • FFIEC Rewrites the Information Security IT Examination Handbook

    FFIEC Rewrites the Information Security IT Examination Handbook

    In the first update in over 10 years, the FFIEC just completely rewrote the definitive guidance on their expectations for managing information systems in financial institutions.  This was widely expected, as the IT world has changed considerably since 2006. There is much to unpack in this new handbook, starting with what appears to be a […]

  • FDIC Updates IT Examination Procedures

    FDIC Updates IT Examination Procedures

    Starting immediately, all FDIC-examined institutions will be subjected to new IT examination procedures, the first major overhaul since December 2007.  The new format is dubbed the InTREx program (Information Technology Risk Examination), and is designed to be a bit simpler in the pre-examination phase.  In fact, the InTREx has only 26 questions vs. 59 for the 12/07 […]