From SafeSystems.com/Safe-Systems-Blog Safe Systems recently published a two-part regulatory compliance blog series that looked back at 2020 and ahead to 2021. In Part 1, we explored how regulations related to the Pandemic dominated the compliance landscape early in 2020 forcing financial institutions to make adjustments to their procedures and practices on the fly. In Part […]
Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?
Hey Guru! Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that GDPR has placed a higher premium on the protection of a narrower definition of data. So, my question is more about whether FFIEC requirements for […]
FFIEC Issues Joint Statement on Cyber Insurance
The statement is here, and is intended to provide additional awareness about the possible use of cyber insurance to off-set financial losses resulting from cyber incidents. Here are a few high-level observations: First of all, we’ve seen several announcements from various organizations stating that “the FFIEC has released new guidance…”. The statement makes it clear […]
FFIEC Cybersecurity Assessment Tool Update
The FFIEC recently released a long-awaited update to the Cybersecurity Assessment Tool, and we think overall it is a relatively minor but useful evolution. But before we get into the details of what the update does address, it’s important to note that it did not address the ambiguity issues that plague the current assessment. One […]
Ask the Guru: How Can I Best Determine My Cyber Risk Profile?
Hey Guru! We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified. Can we draw any conclusions about our average risk and control levels? For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well. Can we […]
Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”
Hey Guru! Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC […]
FFIEC Updates (and Greatly Expands) the Management Handbook
This latest update to the IT Examination Handbook series comes 11 years after the original version. And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed. This new Handbook contains many changes that will introduce new requirements and new expectations […]
Ask the Guru: Cybersecurity “Risk Appetite”
Hey Guru I saw multiple references to the term “risk appetite” in the FFIEC Cybersecurity Assessment Tool. What exactly is risk appetite, and how can I address this in my institution? They just released Management Handbook contains 10 new references to “risk appetite”, including a requirement that the Board has defined the institution’s risk appetite and it’s risk tolerance levels. […]
FFIEC Releases Cybersecurity Assessment Tool
UPDATE: Safe Systems just released their Enhanced CyberSecurity Assessment Toolkit (ECAT) – This enhanced version of the FFIEC toolkit addresses the biggest drawback of the tool; the ability to collect, summarize, and report your risk and control maturity levels. Once risks and controls have been assessed (Step 1 below), institutions will now be better able […]
.Bank or .Bust? New Top Level Domain Promises Increased Security (and Plenty of Questions)
Bankers are being encouraged to register their domain names under the new .bank extension, and although there are reasons to consider making the switch, there are also many questions to answer. Registration is currently open for institutions with a trademarked domain name. Open registration begins June 23. First of all, the regulators have not offered an […]
FFIEC Issues 2 Statements on Cybersecurity
Both statements address recent cybersecurity threats; one targeting online credentials (passwords, usernames, e-mail addresses that may be used by employees or customers to authenticate themselves), and one addressing destructive malware. The statements advise specific risk mitigation steps institutions should consider, and I thought it would be instructive to compare the steps to see which are common to […]