ABA Banking Journal - November/December 2015 - (Page 48)
FEATURE > CYBERSECURITY
Helps Combat Risk
A new assessment tool issued in June by
federal regulators helps financial institutions
identify risks and measure cybersecurity.
BY DEBRA COPE
he real and growing threat of cyberattacks against
financial institutions has firmly established
cybersecurity as a C-suite and boardroom priority.
With the introduction of the federal financial
regulatory agencies' Cybersecurity Assessment Tool,
banks are gaining a new resource to help them measure,
demonstrate and continuously monitor their preparedness.
But they also face new implementation challenges.
Unveiled in June by the Federal Financial Institutions
Examination Council, the assessment tool was designed to
help institutions identify their inherent risks and determine
their cybersecurity maturity across five risk areas. Its issuance
culminated more than a year of intensive work by the FFIEC's
Cybersecurity and Critical Infrastructure Working Group,
and underscores the importance of calibrating a bank's
cybersecurity posture to its individual activities and risks.
The working group laid a foundation in 2014 by conducting
a four-week pilot program evaluating 500 community
institutions' capacity to mitigate cyber risks. The findings
shaped the development of the assessment tool, which
aligns with the FFIEC Information Technology Examination
Handbook and the National Institute of Standards and
Technology's (NIST) Cybersecurity Framework.
ABA BANKING JOURNAL | NOVEMBER/DECEMBER 2015
"It's not a silver bullet or a stand-alone," says Bethany
Dugan, deputy comptroller for operational risk at the OCC.
"It is one more resource for bankers to help understand
their potential risk exposure and profile and to gauge
where they stand in being able to deal with the threats."
Importantly, Dugan says, "it provides a common point of view
on cybersecurity. We heard from institutions and bankers that
we supervise that that was one of things they were looking for."
Use of the tool by banks is optional-with an asterisk. In
separate letters to the institutions they supervise, the FDIC says
its examiners will discuss the tool with management during
exams to make sure they are aware of it; the OCC states that its
examiners will gradually incorporate the assessment into bank
exams; and the Federal Reserve Board notes that it would begin
to use the assessment tool in the exam process by early 2016.
In other words, "It's voluntary until the examiners come in
and say, 'Why didn't you do this?' Then suddenly it's not so
voluntary anymore," says Kevin Petrasic, a partner in the
Washington, D.C., office of the law firm White & Case LLP.
Two key components
The assessment has two parts. First, management evaluates
Table of Contents for the Digital Edition of ABA Banking Journal - November/December 2015
A Conversation With the Comptroller
Cover Story Doing the Right Thing
Big Data and Predictive Analytics: A Big Deal, Indeed
Stress Testing: Feeling the Pressure?
ABA Compliance Center Inbox
Cybersecurity Self-Assessment Tool Helps Combat Risk
Real Estate Lending
Banker Recommended Reading
From the States
Corporate Social Responsibility
Index of Advertisers
ABA Banking Journal - November/December 2015