Tag: cybersecurity

  • Home
  • cybersecurity
10 Feb 2015
Hot Topics Tom Hinkel 1 Comment

FFIEC Issues Update to Business Continuity Guidance

The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship between the two.

The following excerpt summarizes the intent of the update pretty succinctly:

A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP (technology service provider) for all types of adverse events (e.g., natural disaster, infrastructure failure, technology failure, availability of staff, or cyber attack).

The appendix is focused on third-party Technology Service Providers (TSP’s), and organized in four sections (with associated sub-sections):

  • Third-party management
    • Due Diligence
    • Contracts
    • Ongoing Monitoring
  • Third-party capacity
    • Significant TSP Continuity Scenarios
    • TSP Alternatives
  • Testing with third-party TSP’s
    • Testing Scenarios
    • Testing Complexity
  • Cyber resilience

Assuming that you already have a relatively compliant* business continuity plan, I see several areas that may need immediate attention:

  1. Vendor management.  Expect expanded vendor pre-contract due diligence and on-going oversight, including a detailed understanding of how the vendor manages their subcontractors.  The guidance also introduces the concept of “concentration risk”, which is the increased use of, and over-reliance on, one or more key service providers.
  2. Contracts.  Expect increased contract requirements, including provisions related to subcontracting (see above), the right-to-audit, data ownership and handling, and how the servicer plans to respond to new guidance and regulations.
  3. Testing.  Expect an expanded testing section, including participation in critical vendor testing.
  4. Cyber security.  Cyber events should be factored into all aspects of your BCP, with emphasis on responding effectively to a cyber attack.  Expect your incident response planning and testing to get increased scrutiny as well.

There is one more element of the guidance that may prove to be the most challenging of all for outsourced institutions.  In the past, manual procedures were always the primary alternative to automation, but because of the increased dependence on outsourcing, it may no longer be feasible for an institution to operate manually for any length of time.  In those situations the guidance suggests that you have an alternative service provider identified to assume operations, or that you consider the possibility of moving the operations in-house.  Since the guidance admits that the latter option is likely not a valid one, that really only leaves the alternate provider as a possible solution.  Of course any institution that has converted their core system to a new provider knows that process is fraught with challenges even when the conversion is anticipated and carefully planned.  Undertaking the process after a sudden disruptive event is almost unthinkable, but the guidance expects you to going forward.

 

* A compliant BCP is built around a business impact analysis which identifies all critical business processes and their interdependencies, establishes clearly defined recovery time and recovery point objectives (RTO’s & RPO’s) for each process, specifies recovery procedures sufficient to restore process functionality within RTO’s, and then validates all procedures via testing.

11 Nov 2014
From the Field Tom Hinkel 1 Comment

Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments

(NOTE:  Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.)

In this edition:

  • The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC is also the Chairman of the FFIEC.  I comment on 3 recent OCC pronouncements.
  • The FFIEC has completed the cybersecurity risk assessments, and issued some observations.

First up, the OCC recently updated their guidance on Matters Requiring Attention, or MRA’s.  Classified generally as examination “findings”, MRA’s are the most severe type of findings, as they require the immediate attention of senior management and timely (i.e. rapid) corrective action.  While it’s good to see this process standardized (at least among OCC examiners, other agencies have yet to follow suit), what struck me was how the “open” items (those items that have yet to be corrected) were classified.  Particularly one that I haven’t seen before…”Self-identified”.  A “Self-identified” MRA is defined as:

“A significant unresolved concern that the bank initially discovered.  A bank’s action to self-identify concerns is an important consideration when the OCC assesses the adequacy of the bank’s risk management system.

So in other words, you discovered a deficiency first, and then either brought it to the attention of the regulator or they found it.  Instead of counting against you. this actually strengthens the regulator’s view of your risk management system.  Essentially this is an MRA that has a positive impact on your institution!  I’ve discussed this “control self-assessment” process before.  Don’t be afraid of finding problems, it’s much better that you find them then the regulator!

Next up from the OCC, the Chairman (Thomas J. Curry) gave a speech on cybersecurity to the 10th Annual Community Bankers Symposium recently.  Here are a few of my observations:

  • Smaller institutions may be more at risk from cybercrime because of their lack of internal resources compared to larger institutions, so collaboration with information sharing organizations is particularly important.
  • Management is encouraged to incorporate cyber-incident scenarios into their business continuity and incident response planning.
  • It’s “extremely important” for management to understand their risk exposure to cyber-threats and vulnerabilities.
  • Because of the high degree of connectedness among institutions and their third-party providers, managing those relationships is vital.  Curry states that “third-party relationships have been a significant area of concern for years, and not just in the area of cybersecurity.”  The agency has, and will continue to, play a role in watching over these providers, but they stress that their supervision “does not take the place of due diligence or ongoing monitoring” on your part.

Lastly from the OCC, could we see merchants held to the same security standards as financial institutions?  Consider this statement from Chairman Curry in the same speech:

“…we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

This is long overdue in my opinion, merchants are considered the weakest links in the cybersecurity chain.  The challenge will be enforcing it.  Until merchants are under the same regulatory burden as financial institutions, they will have no incentive to comply.  PCI-DSS has been proven ineffective, after all both Target and Home Depot claimed to be PCI compliant prior to their breaches.

Finally, the FFIEC has concluded their cybersecurity assessments and issued some general observations.  Summarizing:

  • Management must understand their own cybersecurity exposure (see OCC Chairman comments above).
  • Key to this understanding your cybersecurity status is understanding who connects to you, and how.
  • Manage your third-party relationships, and understand how your vendors are managing their third-parties.
  • Expand your disaster recovery and incident response processes to incorporate cyber incident scenarios (again, see Chairman Curry’s remarks above).

…and last but not least…

  • “As a result of the Cybersecurity Assessment,  FFIEC members are reviewing and updating current guidance to align with changing  cybersecurity risk.”  In other words, new guidance is on the way!
23 Jul 2014
Hot Topics Tom Hinkel 0 comment

Cybersecurity – Part 2

In Part 1 I discussed the increasing regulatory focus on cybersecurity, and what to expect in the short term.  In this post I want to dissect the individual elements of cybersecurity, and list what you’ll need to do to demonstrate compliance on each one going forward. So here are the required elements of a cybersecurity program, followed by what you need to do:

  • Governance – risk management and oversight
  • Threat intelligence and collaboration – Internal & External Resources
  • Third -party service provider and vendor risk management
  • Incident response and resilience

1.     Governance – risk management and oversight

Nothing new about this one, virtually all FFIEC IT Handbooks list proper governance as the first and most important item necessary for compliance, and governance begins at the top.  In fact a recent FFIEC webinar was titled “Executive Leadership of Cybersecurity: What Today’s CEO Needs to Know About the Threats They Don’t See.”  But governance involves more than just management oversight.  The IT Handbook defines it this way:

“Governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, monitoring, and accountability.”

 What you need to do:

  •  Update & Test your Policies, Procedures and Practices.  Verify that cyber threats are specifically included in your information security, incident response, and business continuity policies.
  • Assess your Cybersecurity Risk (Risk = Threat times Vulnerability minus Controls).  When selecting controls, remember that there are three categories; preventive, detective, and responsive/corrective.  Preventive controls are always best, but given the increasing reliance on third-parties for data processing and storage, they may not be optimal.  Focus instead on detective and responsive controls.  Also, make sure your assessment accounts for any actual events affecting you or your vendors.  Document both:
    • Inherent cybersecurity risk exposure – risk level prior to application of mitigating controls
    • Residual cybersecurity risk exposure – risk remaining after application of controls
  • Adjust your Policies, Procedures and Practices as needed based on the risk assessment results.
  • Use your IT Steering Committee (or equivalent) to manage the process.
  • Provide periodic Board updates.

2.     Threat intelligence and collaboration – Internal & External Resources

This element reflects both the complexity and the pervasiveness of the  cybersecurity problem, and (unlike governance) is a particular challenge to smaller institutions (<1B).  According to a study conducted in May of this year by the New York State Department of Financial Services, the information security frameworks of small institutions lagged behind larger institutions in two key areas: oversight over third party service providers (more on that later), and membership in an information-sharing organization.

What you need to do:

Regulators expect all financial institutions to identify and monitor cyber-threats to their organization, and to the financial sector as a whole.  Make sure this “real-world” information is factored into your risk assessment.  Some information sharing resources include:

3.     Third -party service provider and vendor risk management

For the vast majority of outsourced financial institutions, managing cybersecurity comes down to managing the risk originating at third-party providers and other unaffiliated third-parties. As the Chairman of the FFIEC, Thomas J Curry, recently stated:

“One area of ongoing concern is the increasing reliance on third parties..The OCC has long considered bank oversight of third parties to be an important part of a bank’s overall risk management capability.”

Smaller institutions may be even more at risk, because they tend to rely more on third-parties, and (as I pointed out earlier) tend to lag behind larger institutions when it comes to vendor management.  This is mostly because of available internal resources.  Larger institutions may conduct their own compliance audits, while smaller institutions may rely more on external resources, such as SOC reports and FFIEC Reports of Examination (ROE).  And once the reports are received, interpreting them to determine if they indeed address your concerns can be an even bigger challenge.

What you need to do:

Regardless of size, all institutions should  employ basic vendor management best practices to understand and control third-party risk.  Pay particular attention to the following:

  • Pre-contract Planning & Due Diligence – in addition to reviewing the SOC reports and ROE’s, determine if the vendor had any significant recent security events.
  • Contracts – they should define if and how you’ll be notified in the event of a security event involving you or your customer’s data, and who is responsible for customer notification.  They should also include a “right-to-audit” clause, giving you the right to conduct audits at the service provider if necessary.
  • Ongoing Monitoring – in addition to updated SOC reports, financials, and ROE’s, don’t forget to take advantage of vendor forums and user groups.  As the FFIEC statement stressed:

“…financial institutions that utilize third party service providers should check with their provider about the existence of user groups that also could be valuable sources of information.”

  • Termination/Disengagement – management should understand what happens to their data at the end of the relationship.

4.     Incident response and resilience

Incident response has been mentioned in all regulatory statements about cybersecurity, and for good reason.  Regardless of whether it originates internally or externally, a security incident is a virtual certainty.  And regulators know that although vendor oversight does provide some measure of assurance, you have very little actual control over specific vendor-based preventive controls.  So detective and corrective/responsive controls must compensate.

What you need to do:

Make sure your incident response program (IRP) has been updated to accommodate a response to a cybersecurity event.  As I stated in Part 1, your existing policies should already do this if they are impact-based instead of threat-based.  “Cyber” simply refers to the source or nature of the threat.  The impact of a cybersecurity event is generally the same as any other adverse event; information is compromised or business is interrupted.  However, all IRP’s should contain certain elements:

  • The incident response team members
  • A method for classifying the severity of the incident
  • A response based on severity, to include internal escalation, and external notification.
  • Periodic testing and Board reporting

Regarding testing, the FFIEC considers it so important they refer to it as one of the primary take-aways from their recent webinar, encouraging all institutions to consider:

How often is my institution testing its plans to respond to a cyber attack? Do these tests include our key internal and external stakeholders?

 In summary, review the requirements for cybersecurity, and compare them with your current policies, procedures and practices.  Hopefully you’ve already incorporated many (if not most) of these elements into your program, and very little adjustment needs to be made.  But either way, be prepared to discuss what you are doing, and how you are doing it, with the regulators…they WILL be asking you.

10 Jul 2014
Hot Topics Tom Hinkel 0 comment

Cybersecurity – Part 1

Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway it promises to be a regulatory focus for the foreseeable future.  But exactly what are they expecting from you, and how does that differ from what you may be doing already?  More importantly, how should you demonstrate that you are cybersecurity compliant?

First of all it’s important to understand that, at least initially, regulators  will be data gathering only.  They may offer verbal feedback, but don’t expect any written examination findings or recommendation at this time.  What they will be doing is assessing the overall posture of cybersecurity.  It would appear that the regulators are following the NIST cybersecurity framework that came out earlier this year in response to the Presidential Executive Order that came out in February of 2013.  The  NIST framework provides a common mechanism for organizations to:

  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state; and
  5. Communicate among internal and external stakeholders about cybersecurity risk.

It would appear that financial regulators are currently on step 1; gathering information in order to describe the current state of cybersecurity across the financial industry.  Of course once the current state has been established, I expect that the “target state” for cybersecurity (step #2) will involve additional regulatory expectations.

So what do you need to do now?  Well, if you’ve kept your information security, business continuity, and vendor management policies and procedures up-to-date, probably not much.  Cybersecurity is simply a subset of each of those existing policies.  In most cases, ‘cyber’ refers to either the source or nature of the attack or the vulnerability.  Your InfoSec  policies (including incident response) should already address this, and so should your business continuity plan.  In other words, you should already have procedures in place to secure customer and confidential data and recovery critical business processes regardless of  the source or nature of the threat.  Your policies should all be impact-based, not threat-based.

Your risk assessments, however, may need to be adjusted if they don’t specifically account for cyber threats.  For example, critical vendors should be assessed for their exposure to, and protection from, cyber threats…with your controls adjusted accordingly (i.e. audit reports, PEN tests, etc.).  Your BCP risk assessment should account for the impact and probability of cyber, as well as traditional, fraud, theft and blackmail.  All that said, regulators will likely be looking for specific references to ‘cyber’, so it won’t hurt to make sure your policies include the term as well.

For me, the biggest takeaway from the flurry of cybersecurity activity (the 2013 Presidential Directive, the 2013 FFIEC working group, the 2014 NIST Cybersecurity Framework, the recent FFIEC statements on ATM Hacking and Heartbleed and DDoS attacks, as well as the recent FDIC’s C-level cybersecurity webinar) is this; for the vast majority of outsourced financial institutions, cybersecurity readiness means A). managing your vendors, and B). having a proven plan in place to detect and recover if a cyber-attack occurs.  

According to the FDIC, here are the required elements of a cybersecurity risk management program …notice the last two:

  • Governance – risk management and oversight
  • Threat intelligence and collaboration – Internal & External Resources
  • Third -party service provider and vendor risk management
  • Incident response and resilience

I’ve covered vendor management and incident response before.  In Part 2 I’ll break down each of the four elements in greater detail, and tell you what you’ll need to do to demonstrate compliance.

05 Aug 2013
Hot Topics Tom Hinkel 0 comment

Critical Controls for Effective Cyber Defense – Converging Standards?

Earlier this year the SANS Institute issued a document titled “Critical Controls for Effective Cyber Defense“.  Although not specific to financial institutions, it provides a useful prescriptive framework for any institution looking to defend their networks and systems from internal and external threats.  The document lists the top 20 controls institutions should use to prevent and detect cyber attacks.

This document actually preceded the announcement by the FFIEC in June that they were forming a working group to “promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues”.  I mentioned this announcement here in relation to its possible effect on future regulatory guidance.  So I was particularly interested in any overlap, any common thread, between the this initiative and the SANS document.  If there was any overlap between the organizations contributing to the SANS list and the FFIEC Cybersecurity working group, we might have the basis for  a common, consistent set of prescriptive guidance. Could a single “check-list” type information security standard be in the works?

For example, the Information Security Handbook requires financial institutions to have “…numerous controls to safeguard and limits access to key information system assets at all layers in the network stack.”  They then go on to suggest general best practices in various categories for achieving that goal, leaving the specifics up to the institution.

Contrast that to the much more specific SANS Critical Control list.  Here are the first 5:

  • Critical Control 1:  Inventory of Authorized and Unauthorized Devices
  • Critical Control 2:  Inventory of Authorized and Unauthorized Software
  • Critical Control 3:  Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Critical Control 4:  Continuous Vulnerability Assessment and Remediation
  • Critical Control 5:  Malware Defenses

As you can see, although the goal of protecting information assets is the same in each case, the SANS list is much more specific.  Could we possibly see a converging of the general guidance of the FFIEC with the more specific control requirements of SANS, with cybersecurity as the common goal?  Again, a look at the common contributors to each group might provide a clue.

The SANS group credits input from multiple agencies of the U.S. government; the Department of Defense, Homeland Security, NIST, FBI, NSA, Department of Energy, and others.  The FFIEC working group coordinates with groups such as the FFIEC’s Information Technology Subcommittee of the Task Force on Supervision, the Financial and Banking Information Infrastructure Committee, the Financial Services Sector Coordinating Council, and the Financial Services Information Sharing and Analysis Center (FS-ISAC).  SO no direct common thread there, unfortunately.  However the FS-ISAC group does share many partners with the SANS group, including the Departments of Defense, Energy, and Homeland Security, so we may yet see the FFIEC Information Security guidance evolve.  Particularly since the Handbook was published back in 2006, and is overdue for a major update.  In the meantime, financial institutions would be well advised to use the SANS Critical Controls as a de-facto checklist to measure their own security posture.*

By the way, the document  also lists 5 critical tenets of an effective cyber defense system, 2 of which are ‘Continuous Monitoring’ and ‘Automation’.   More on those in a future post (although I already addressed the advantages of automation here).

* There is nothing in the SANS list that is inconsistent with FFIEC requirements, in fact we’ve already seen at least one company servicing the Credit Union industry adopt this list as their framework.  However, keep in mind that although the controls listed are necessary for cyber defense, they are not sufficient.  A fully compliant information security program must also address management and oversight…an area conspicuously absent on the SANS list.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy