FFIEC cybersecurity pilot program raises awareness of third‐party risks

It’s no surprise that the Federal Financial Institutions Council (FFIEC) has launched its cybersecurity pilot program at 500 financial institutions to raise awareness of third party risks. The assessments focus on the institution's handling of its risk management, risk oversight, threat intelligence and collaboration, and management of service providers and vendors. Although they are being incorporated into routine examinations, that doesn’t mean the assessments are quick, cursory reviews. Rather, the institution's leadership needs to be fully briefed, involved and prepared.

Key Statistics

  • The global price tag of consumer cybercrime is $113 billion annually. (Symantec, 2013 Norton Report)
  • Smaller organizations incur a significantly higher per-capita cost than larger organizations. (Ponemon Institute)
  • Organizations experienced an average of 122 successful attacks per week, up from 102 attacks per week in 2012. (Ponemon Institute)
  • The average time to resolve a cyberattack was 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day. (Ponemon Institute)


First and foremost, regulators are looking for solid confirmation that a security-minded culture is being built from the top down. This means that an institution must document and demonstrate that executive management and board of directors are informed about big picture cybersecurity threats, as well as the specific potential risks facing their institution from internal and external sources. Some tips on how to achieve this include:

  • Incidence response plans should document how the institution will handle a cyber attack on its internal network and information assets, and on its third party vendors’ networks.
  • IT strategic plans should detail controls the institution is using to identify, mitigate, monitor and evaluate risk today and into the future.
  • Ongoing awareness, accounting and meaningful risk reporting policies and procedures should be documented and institution leadership needs to be able to demonstrate knowledge of them to regulators.
  • Robust employee training programs should demonstrate that cyber threat awareness and information is being shared throughout the organization, and show that training on how to protect business critical information and attend to data breaches is in place.

Closely related to employee training is a definitive policy regarding employee use of mobile devices for work. While people are protecting their computers, there is a general lack of awareness to safeguard their smartphones and tablets. As a result, lack of efficient authentication and defense mechanisms are the primary cause of incidents for mobile users. In fact, nearly one-third of mobile device users were victims of illegal activities last year. Cyber attacks can be mitigated by ensuring employees who use mobile devices connect to the enterprise network via a secure connection, specifying the wireless access protocols that are allowed on the mobile device and disallowing connections via unsecured WiFi networks.

Moreover, Data Use Agreements, which identify how employees and third parties connect to the institution's network and what information they can access, are garnering increased attention since some 49% of users report they use their personal mobile devices for work-related activities. Such agreements should clearly explain the financial institution's ownership of network data and note that only institution-approved devices can connect to the network. Policies should also set forth how the institution tracks devices, how it will wipe access from a device if it is lost or stolen and how a device will be retrieved from a terminated employee.

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing an experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members

get rehmann expertise to drive your business in your inbox every week