FDIC: What to Expect in New Guidance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/fdic-what-to-expect-in-new-guidance-a-7596

When the Federal Financial Institutions Examination Council releases new
cybersecurity guidance, it will address specific types of cyber-attacks and
threats, according to examination specialists from the Federal Deposit
Insurance Corp., one of the FFIEC's regulatory agencies.

During a Nov. 20 community banking advisory committee meeting, members of
the FDIC's Division of Risk said future IT examinations for banking
institutions of all sizes will include reviews of specific cybersecurity
initiatives, such as employee awareness and training, as well as software
and operating system patching.

New guidance also is expected to address inherent risks associated with
mobile banking - an area many critics said should have been included within
the FFIEC's updated authentication guidance, which was released in June
2011 (see FFIEC Draft: The Bad and Good).

When this new guidance will be issued, however, is unclear. But industry
analysts say they expect banking regulators to issue the guidance within
the next year, as congressional pressure to address emerging cyber-attacks
continues to grow.

Why Guidance Is Needed

A catalyst for new guidance on cybersecurity initiatives was the FFIEC's
summer pilot program for cyber-risk assessments conducted at 500 community
banks (see FFIEC to Update Cybersecurity Guidance).

As a result of those exams, banking regulators note five domains where more
attention must be paid to cybersecurity, says Marlene Roberts, a senior
examination specialist at the FDIC. Those five domains include:

Risk management and oversight, which includes C-level and employee
awareness of emerging cyberthreats;
Threat intelligence and information sharing;
Cybersecurity controls, such as network-intrusion detection systems;
Dependency management of third-party service providers;
Management resilience, which includes disaster recovery and business
continuity planning in the wake of a cyber-incident.

"Boards and management should stay abreast of cybersecurity issues, and
routinely discuss cybersecurity and maintain awareness," Roberts says. "The
world has evolved to a point where institutions, no matter what size, are
going to be at risk of being targeted by a cyber-attack."

The purpose of the new guidance, and a more thorough cybersecurity
examination program, is to ensure that banking institutions have addressed
basic cyber hygiene, she adds.

Banking institutions also should be prepared to show examiners how they are
mitigating threats posed by specific attacks and vulnerabilities, such as
Heartbleed, the Bash bug, distributed-denial-of-service attacks and ATM
cash-outs, says Donald Saxinger, another FDIC senior examination specialist.

Institutions already have some regulatory pointers they can use as
guideposts in anticipation of the guidance, Saxinger says. That's because
all of the cyber-risk warnings issued by the FFIEC and its member agencies
over the last 12 months will eventually be included in the new guidance.

"We have put out about warnings related to SSL [secure sockets layer]
vulnerabilities with Heartbleed, for instance, which will be included in
our guidance," he says.

Information Sharing

The new guidance also will likely include recommendations for information
sharing.

"In 2006, the Information Security Booklet was updated to address
monitoring security threats," Saxinger says. "Today, the threats are
greater. So, in April, we recommended that banks use external resources,
such as the U.S. CERT [Community Emergency Response Teams] to share
information. In November, we issued another press release advising that
financial institutions participate in information sharing organizations
like the FS-ISAC [Financial Services Information Sharing and Analysis
Center]."

Information sharing also includes sharing detailed data-breach
cost-analyses with law enforcement, to ensure no cyber-event falls under
the radar, Roberts adds.

"If the cost of the breach reaches a certain threshold, you can file a SARs
[suspicious activity report], and that helps law enforcement determine if
this is an isolated incident or is one that is more widespread," she says.

How Institutions Can Prepare

Amy McHugh, an attorney and former FDIC IT examination analyst who now
works as a banking consultant for CliftonLarsonAllen, says information
sharing and C-level awareness are the two areas where community
institutions should be focusing most of their attention.

Both of those areas were critical weak points regulators noted in their
post-pilot-exam analysis, she says.

"I continue to stress the importance of financial institutions belonging to
some sort of information sharing community, like the FS-ISAC, and regional
or local peer groups," McHugh says. "Also, institutions should strengthen
their incident response programs to include at least annual scenario
testing and training."

A Shift in Regulatory Oversight?

Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner,
says consolidating and formalizing cybersecurity objectives within formal
guidance should help banking institutions ensure they are investing in the
right cyberthreat mitigation strategies and technologies. "Having guidance
helps fraud and security teams get budgets for bigger investments," she
says.

But new guidance also means more heavy-handedness from the regulators,
which often slows business processes, she contends.

Javelin Strategy & Research analyst Al Pascual says regulators, by calling
for the inclusion of specific threats and vulnerabilities like Shellshock,
may be suggesting that they plan to be more active and current with their
guidance and examination expectations going forward.

"It leads me to believe that any guidance regulators release would be on an
annual, or even continually updated, basis, which is pretty unique,"
Pascual says. "It would be a welcomed change to a world where it takes
years to formalize best practices, which, by the time they take effect, are
often dated."

Shirley Inscoe, a financial fraud analyst with the consultancy Aite, says
the FDIC's comments likely signal a significant shift in the way regulators
address and assess cybersecurity.

"Cybercrime has become such a major problem, the regulators must focus on
it more regularly going forward," she says. "There are so many new forms of
malware, so many hacking incidents and so many data breaches - the
environment is extremely challenging, so it deserves regular attention."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!