FFIEC: boards need cybersecurity training

The results are in. The FFEIC’s recently completed pilot program for cybersecurity risk assessments at more than 500 community banks revealed a serious lack of understanding of cyber threats among C-level banking executives. Federal banking regulators will soon be taking a hard look at community bank executives and boards of directors to evaluate their awareness, as well as the bank’s ability to anticipate, address, manage and monitor such threats.

While bank leaders may not be asked why or how a certain type of attack happens from a technical perspective, they are likely to be asked during exams what their bank is doing to prevent and manage attacks, such as firewall penetration or DoS (denial of service) attacks. To prepare for such questions, the Financial Services Information Sharing and Analysis Center (FS-ISAC), a private-sector nonprofit information-sharing forum, was established by the financial services industry to facilitate sharing of physical and cybersecurity threat and vulnerability information. It is available to financial institutions of all sizes.

Participating in such information-sharing forums is an important component of an effective cybersecurity risk management program. According to the FFEIC, community banks and their executives who regularly participate in such forums are better prepared to anticipate and mitigate risks, as well as identify areas for improvement and enhance existing controls. To learn more about the Forum, click here.

Not surprisingly, the FFIEC also reported that while most banks understand they need to train employees in this area, and most also have implemented controls to prevent cybersecurity breaches, training and IT programs need to be kept current and updated frequently. Specifically, the FFIEC recommends banks take immediate steps to:

  • Ensure boards of directors and senior management understand their bank’s cybersecurity risks and routinely discuss cybersecurity issues in meetings
  • Monitor and maintain sufficient awareness of threats and vulnerabilities throughout the organization, including employee training at all levels and a robust IT-centered control environment
  • Manage connections with and to third parties and vendors
  • Incorporate cybersecurity scenarios into disaster plans and contingency planning
  • Implement stronger encryption of sensitive date, including the bank’s proprietary and technical information

Clearly, C-level executives and board of directors should be fully engaged in cybersecurity issues.

Click here to view and download the FFEIC Information Technology Examination Handbook.

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing an experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members

get rehmann expertise to drive your business in your inbox every week