ABA Banking Journal - May/June 2015 - (Page 58)

> CYBERSECURITY The Treasury Department's Cybersecurity Checklist BOILING DOWN WHAT really matters concerning cybersecurity is a tough but worthy exercise. During recent remarks, Deputy Treasury Secretary Sarah Bloom Raskin offered a checklist of what the Treasury Department thinks are the essential elements of cybersecurity. Here we examine how your bank can answer her challenge. MAKE CYBER RISK PART OF YOUR BANK'S CURRENT RISK MANAGEMENT FRAMEWORK * Tailor your framework to the size and business * Adopt policies, procedures and other controls * Employ highly qualified people to monitor and operations of your bank to address identified cyber threats that their continually reassess the effectiveness of the technology solutions cannot control and to deployed technology and controls, including * Identify the cyber threats presented by your reasonably anticipate possible breakdowns those technologies or controls that are not particular activities and operations and match and overrides of that technology. directly operated by the institution. those threats to the appropriate technology solutions. USE THE NIST CYBERSECURITY FRAMEWORK * Identify your bank's cyber posture and determine its risk profile and tolerance. * Develop organizational communication plans for responding to attacks. * Establish a common language and set of practices, standards and guidelines. * Apply your established risk-management approaches when the risks and associated controls are cyber-related. * Evaluate vendors and other third parties with access to your networks, systems and data. UNDERSTAND THE SECURITY SAFEGUARDS THAT YOUR THIRD PARTIES HAVE IN PLACE * Know all vendors and third parties with access to your systems and data. * Ensure that those third parties have appropriate protections to safeguard your systems and data. * Conduct ongoing monitoring to ensure adherence to protections. * Document protections and related obligations in your contracts. EVALUATE YOUR NEED FOR CYBER RISK INSURANCE * Know what it covers and excludes. * Know if it is adequate based on your risk exposure. * Leverage the qualification process to help assess your bank's risk level. * Know who has administrative permissions to change, bypass and override system configurations. * Patch software on a timely basis. * Conduct continuous, automated vulnerability assessments. ENGAGE IN BASIC CYBER HYGIENE * Know all the devices connected to your networks. * Reduce that number to only those who need those privileges. SHARE INCIDENT DATA WITH INDUSTRY GROUPS * Join the Financial Services Information Sharing and Analysis Center. HAVE AN INCIDENT PLAYBOOK AND A POINT PERSON FOR RESPONSE AND RECOVERY * Have a detailed, documented plan that designates who is responsible for leading the response-and-recovery efforts. * Chose a lead with exceptional organizational and communication skills because he or she will quarterback internal and external interactions. DESIGNATE SENIOR LEADER AND THE BOARD ROLES DURING A CYBER INCIDENT RESPONSE * Designate when and which matters get escalated to the CEO. * Designate whether the full board or a committee-like risk or audit-is initially tasked to oversee the response from a governance perspective. * Participate in cyber exercises that simulate a cyber intrusion. Include the CEO, directors and other key players. KNOW WHEN AND HOW TO ENGAGE WITH LAW ENFORCEMENT AFTER A BREACH * Have in your playbook when you should reach out to law enforcement. * Cultivate relationships with local U.S. Secret Service and FBI field offices. KNOW WHEN AND HOW YOU WILL INFORM EVERYONE OF AN EVENT * Be transparent. 58 ABA BANKING JOURNAL | MAY/JUNE 2015 * Avoid technical jargon and legalese and provide clear and consistent information. * Draft messages for various scenarios.

Table of Contents for the Digital Edition of ABA Banking Journal - May/June 2015

CHAIRMAN’S VIEW
UPFRONT
ECONOMIC OUTLOOK
LEGAL BRIEFS
PICTURE THIS
CELEBRATING A TRADITION OF INNOVATION
SOUND RISK CULTURE
AN INTERVIEW WITH FDIC’s MARTIN GRUENBERG
NEW RESPA/TILA MORTGAGE DISCLOSURES
BANK DOMAIN ROLLOUT
INVESTOR PERSPECTIVE
MARKETING/RETAIL
PAYMENTS
ADVOCACY
ABA COMPLIANCE CENTER INBOX
CYBERSECURITY
MORTGAGES
OPERATIONS
BOARD MATTERS
FROM THE STATES
BANKER RECOMMENDED READING
INNOVATIONS IN SOCIAL RESPONSIBILITY
INDEX OF ADVERTISERS

ABA Banking Journal - May/June 2015

http://www.nxtbook.com/naylor/BAKS/BAKS0318
http://www.nxtbook.com/naylor/BAKS/BAKS0218
http://www.nxtbook.com/naylor/BAKS/BAKS0118
http://www.nxtbook.com/naylor/BAKS/BAKS0617
http://www.nxtbook.com/naylor/BAKS/BAKS0517
http://www.nxtbook.com/naylor/BAKS/BAKS0417
http://www.nxtbook.com/naylor/BAKS/BAKS0317
http://www.nxtbook.com/naylor/BAKS/BAKS0217
http://www.nxtbook.com/naylor/BAKS/BAKS0117
http://www.nxtbook.com/naylor/BAKS/BAKS0616
http://www.nxtbook.com/naylor/BAKS/BAKS0516
http://www.nxtbook.com/naylor/BAKS/BAKS0416
http://www.nxtbook.com/naylor/BAKS/BAKS0316
http://www.nxtbook.com/naylor/BAKS/BAKS0216
http://www.nxtbook.com/naylor/BAKS/BAKS0116
http://www.nxtbook.com/naylor/BAKS/BAKS0615
http://www.nxtbook.com/naylor/BAKS/BAKS0515
http://www.nxtbook.com/naylor/BAKS/BAKS0415
http://www.nxtbook.com/naylor/BAKS/BAKS0315
http://www.nxtbookMEDIA.com