The Federal Financial Institutions Examination Council launched a web page on cybersecurity (www.ffiec.gov/cybersecurity.htm), as a central repository for current and future FFIEC-related materials on cybersecurity.
While information security has been a core focus of supervision for decades, the FFIEC members are taking a number of steps to raise awareness of cybersecurity risks at financial institutions and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats that pose risks to all industries in our society. The FFIEC web page provides links to joint statements, webinars, and other information that may help financial institutions when thinking about the issue of cybersecurity.
The launch of this web page coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations. Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks.
Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance, and examiner training.
FFIEC members will continue to assess the risks of cyber attacks to financial institutions and use the information gathered through a number of sources to determine the appropriate next steps and identify potential gaps in financial supervision.
Other recent FFIEC efforts on cybersecurity highlighted on the web page include:
- Creation of the Cybersecurity and Critical Infrastructure Working Group (June 2013)
- Joint Statement concerning Microsoft’s discontinuation of Microsoft Windows XP (October 2013)
- Joint Statement on Cyber Attacks on ATMs and Card Authorization Systems (April 2014)
- Joint Statement on Distributed Denial of Service Attacks (April 2014)
- Alert on Open SSL “Heartbleed” Vulnerability (April 2014)
- Webinar and video on cybersecurity for community institution CEOs (May 2014)