WASHINGTON—The Federal Financial Institutions Examination Council (FFIEC) Monday released observations from the recent cyber-security assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC).
The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.
During the summer of 2014, FFIEC members piloted a cyber-security assessment at more than 500 community institutions to evaluate the institutions’ preparedness to mitigate cyber-security risks. The FFIEC Cybersecurity Assessment General Observations provides themes from the assessment and suggests questions that chief executive officers and boards of directors may consider when assessing their institutions’ cyber-security preparedness, the FFIEC stated in a release.
The FFIEC also recommended that financial institutions of all sizes participate in the FS-ISAC as part of their process to identify, respond to, and mitigate cyber-security threats and vulnerabilities.
The FFIEC stated that “rapidly evolving cybersecurity risks reinforce the need for all institutions and their critical technology service providers to have appropriate methods for obtaining, monitoring, sharing, and responding to threat and vulnerability information. Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly.”
John McKechnie, partner at Washington-based consulting firm Total Spectrum, pointed out that the observations from the FFIEC do not constitute formal guidance, but they should be paid attention to.
"The depth and breadth of cybersecurity issues are on display here, and if anything the complexity that FFIEC outlines in this guidance drives home the point that, contrary to what the retail lobby says, data security is not simply confined to whether ‘chip and pin’ card technology is in place,” McKechnie said.
Related links
NASCUS CU Cyber Security Symposium