Cybersecurity Awareness Month – Industry Teleconference

I hope everyone enjoyed October’s Cybersecurity Awareness Month as much as I did. To end the month, the FDIC held an industry teleconference on October 28th.  The teleconference included updates on the cybersecurity landscape, cybersecurity assessment tool (CAT) and information sharing with a brief Q&A that followed.

The recorded teleconference will be available online soon. If you missed it or do not have time to listen to the recording, here are the top 5 takeaways.

Takeaway 1: Cybersecurity is here to stay

I’m not going to delve into much detail on this topic as we are all well aware of this.  Cybersecurity threats are increasing and you need to protect your financial institution.  Breaches are no longer a matter of if, but when.

Takeaway 2: Need threat intelligence program

If you haven’t implemented one already, you need to implement a threat intelligence program. What this means is that you need someone dedicated to receiving information pertaining to the latest cybersecurity threats and then analyzing and processing that information in a timely manner.  Procedures should be followed immediately to protect your financial institution from the threat.  There are several sources for receiving this information and the FDIC recommended the following three sources.

Takeaway 3: CAT is not required

I thought this was the most important takeaway.  The cybersecurity assessment tool is just that, a voluntary tool provided by the FFIEC to help financial institutions. Please read the previous post if you would like to find out more about the CAT. 

The FDIC will not be utilizing the CAT during examinations.  They will continue to use their existing workprograms to assess financial institution’s information security program, which includes risk assessment and analysis.  The FDIC could not comment on how other branches would handle the CAT.  If you are utilizing the CAT to aid in your overall risk assessment and risk analysis, then the FDIC examiners will look at your CAT tool to assess the overall information security program.

Takeaway 4: FDIC IT examination workprograms and handbooks are getting a facelift

So while the examiners will not be using the CAT as their workprogram, the IT examiners’ workprogram will be receiving a facelift. The last time these workprograms have been updated was in 2004.  In the past, they’ve strived to update the workprogram every four years. 

IT handbooks are also receiving updates.  The first to be released is the Management handbook.  The Information Security handbook is slated to be updated in the first quarter of 2016.  The other handbooks will be scheduled for cybersecurity updates.

Takeaway 5: Issuing 3 new vignettes in next 30 days

The FDIC created a Cyber Challenge: A Community Bank Cyber Exercise which includes a series of vignettes.  Each vignette includes a video and challenge materials to promote conversation of critical issues.  The four vignettes available now address item processing failure, customer account takeover, bank internal error/phishing & malware problem, and technology service provider problem.  Three more vignettes will be made available in the next 30 days.