Coming soon: cybersecurity assessments

Cybersecurity: the technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.

The Federal Financial Institutions Examination Council (FFIEC) has not been shy about its enhanced focus on cybersecurity risk mitigation at smaller financial institutions. Actions have included the creation of the Cybersecurity and Critical Infrastructure Working Group, and the National Institute of Standards and Technology's issuance of the voluntary cybersecurity framework. Plus, in early April, the FFIEC issued warnings about Distributed denial of service (DDoS) attacks and ATM cash-out schemes targeting smaller institutions.

"Third-party vendors are especially important to community banks, many of which outsource their back-office operations to technology service providers. While the largest institutions might be the most tempting targets for the bad guys, what we've learned from other sectors and are now seeing in the financial sector is that as the larger financial institutions improve their defenses, hackers are likely to direct more of their attention to community banks."
-- Thomas J. Curry, Comptroller of the Currency, May 2014

 

That’s why the FFEIC’s announcement of a pilot program for cybersecurity assessments at community banks, announced in early May, should not be a surprise. Regulators say that while the assessments will be incorporated into routine IT examinations, bank executives should be prepared for more strict oversight of how they identify risks, document their understanding of the seriousness of those risks, and plan to manage potential and real cyber threats.

Malware/Tool  Description
Virus A program that has infected some executable software and, when run, causes a virus to spread to other executables. A virus might corrupt or delete data on a computer, use e-mail programs to infect other computers, or even erase everything on a hard disk
Ransomware Malware that restricts access to the computer system that it infects and demands that a ransom be paid to the distributor of the ransomware in order for the restriction to be removed
Worms Programs that actively transmit themselves over a network to infect other programs without requiring human involvement
Trojans Computer programs that appear to have a useful function, but that also have a hidden and potentially malicious function that evades security mechanisms by, for example, masquerading as a useful program that a user would likely execute
Spyware Software that covertly gathers user information through an Internet connection
without the user’s knowledge for advertising purposes or to steal confidential information
Botnet A collection of compromised computers connected to the Internet on which malware is running. Each compromised computer is called a bot. The human controlling a botnet is called a botmaster. Command and control servers are web servers that control the botnet under the direction of a botmaster
Logic Bombs Programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met
Phishing A digital form of social engineering that uses authentic-looking, but fake, e-mails to request information from users or direct them to a fake website that requests information

Source: Federal Reserve System

Tips for Strong Security

  • Set the tone from the top in building a security culture
  • Identify, measure, mitigate, and monitor risks
  • Develop risk management processes that align with the complexity of the organization
  • Align cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
  • Create a process to ensure ongoing awareness and accountability
  • Ensure timely reports to senior management and the financial institution's board of directors that include meaningful information addressing the institution's vulnerability

Source: FFEIC

Click here to read the Cybersecurity Framework provided by NIST.

 

 

 

 

 

 

 

 

 

 

 

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing an experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members

get rehmann expertise to drive your business in your inbox every week