ABA Banking Journal - May/June 2015 - (Page 58)
The Treasury Department's
BOILING DOWN WHAT really matters concerning cybersecurity is a tough but worthy exercise. During recent remarks,
Deputy Treasury Secretary Sarah Bloom Raskin offered a checklist of what the Treasury Department thinks are the
essential elements of cybersecurity. Here we examine how your bank can answer her challenge.
MAKE CYBER RISK PART OF YOUR BANK'S CURRENT RISK MANAGEMENT FRAMEWORK
* Tailor your framework to the size and business * Adopt policies, procedures and other controls
* Employ highly qualified people to monitor and
operations of your bank
to address identified cyber threats that their
continually reassess the effectiveness of the
technology solutions cannot control and to
deployed technology and controls, including
* Identify the cyber threats presented by your
reasonably anticipate possible breakdowns
those technologies or controls that are not
particular activities and operations and match
and overrides of that technology.
directly operated by the institution.
those threats to the appropriate technology
USE THE NIST CYBERSECURITY FRAMEWORK
* Identify your bank's cyber posture and
determine its risk profile and tolerance.
* Develop organizational communication plans
for responding to attacks.
* Establish a common language and set of
practices, standards and guidelines.
* Apply your established risk-management
approaches when the risks and associated
controls are cyber-related.
* Evaluate vendors and other third parties with
access to your networks, systems and data.
UNDERSTAND THE SECURITY SAFEGUARDS THAT YOUR THIRD PARTIES HAVE IN PLACE
* Know all vendors and third parties with access
to your systems and data.
* Ensure that those third parties have
appropriate protections to safeguard your
systems and data.
* Conduct ongoing monitoring to ensure
adherence to protections.
* Document protections and related obligations
in your contracts.
EVALUATE YOUR NEED FOR CYBER RISK INSURANCE
* Know what it covers and excludes.
* Know if it is adequate based on your
* Leverage the qualification process to help
assess your bank's risk level.
* Know who has administrative permissions
to change, bypass and override
* Patch software on a timely basis.
* Conduct continuous, automated
ENGAGE IN BASIC CYBER HYGIENE
* Know all the devices connected to
* Reduce that number to only those who need
SHARE INCIDENT DATA WITH INDUSTRY GROUPS
* Join the Financial Services Information Sharing and Analysis Center.
HAVE AN INCIDENT PLAYBOOK AND A POINT PERSON FOR RESPONSE AND RECOVERY
* Have a detailed, documented plan that
designates who is responsible for leading the
* Chose a lead with exceptional organizational
and communication skills because he
or she will quarterback internal and
DESIGNATE SENIOR LEADER AND THE BOARD ROLES DURING A CYBER INCIDENT RESPONSE
* Designate when and which matters get
escalated to the CEO.
* Designate whether the full board or a
committee-like risk or audit-is initially
tasked to oversee the response from a
* Participate in cyber exercises that simulate
a cyber intrusion. Include the CEO, directors
and other key players.
KNOW WHEN AND HOW TO ENGAGE WITH LAW ENFORCEMENT AFTER A BREACH
* Have in your playbook when you should reach
out to law enforcement.
* Cultivate relationships with local U.S. Secret
Service and FBI field offices.
KNOW WHEN AND HOW YOU WILL INFORM EVERYONE OF AN EVENT
* Be transparent.
ABA BANKING JOURNAL | MAY/JUNE 2015
* Avoid technical jargon and legalese and
provide clear and consistent information.
* Draft messages for various scenarios.
Table of Contents for the Digital Edition of ABA Banking Journal - May/June 2015
CELEBRATING A TRADITION OF INNOVATION
SOUND RISK CULTURE
AN INTERVIEW WITH FDIC’s MARTIN GRUENBERG
NEW RESPA/TILA MORTGAGE DISCLOSURES
BANK DOMAIN ROLLOUT
ABA COMPLIANCE CENTER INBOX
FROM THE STATES
BANKER RECOMMENDED READING
INNOVATIONS IN SOCIAL RESPONSIBILITY
INDEX OF ADVERTISERS
ABA Banking Journal - May/June 2015