Upload File

ffiec assesment tool helps officers and directors...for example, one domain, “cyber risk...

  • Home
  • Documents
  • FFIEC Assesment Tool Helps Officers and Directors...For example, one domain, “Cyber Risk Management and Oversight”, is evaluated by examining the institution’s governance processes,
1
Corner GENERAL COUNSEL FALL 2015 J B PRESENTED BY GEORGIA’S LAW FIRM: LEGAL NEWS AND UPDATES FOR CBA MEMBERS Financial instuons are the objects of frequent and sophiscated cyberaacks. The sources of potenal cyberaacks have mulplied over the past decade, with threats no longer limited to craſty internet hackers aempng to access customer account informaon through an instuon’s website. For example, sophiscated fraudsters recently have accessed confidenal customer informaon by loading malware onto point-of-sale card readers, by hacking into vendor computer networks and by accessing employee laptops. The implementaon of effecve controls to protect against cyberaacks should be a key component of every financial instuon’s enterprise risk management plan. A successful cyberaack can be costly, including the costs for customer reimbursement, card reissuances, ligaon and fraud monitoring services. Failure to prevent a cyberaack can also damage an instuon’s market reputaon, aract regulatory scruny and raise quesons about the board’s competence. THE FFIEC CYBERSECURITY ASSESSMENT TOOL Financial instuons are required by law to safeguard confidenal customer informaon. To assist in this endeavor, the Federal Financial Instuons Examinaon Council has developed a “Cybersecurity Assessment Tool” to be used by FDIC insured depository instuons (www.ffiec.gov/cyberassessmenool). The Cybersecurity Assessment Tool provides a repeatable and measurable process for instuons to measure their cybersecurity programs. The Cybersecurity Assessment Tool consists of two assessments: the “Inherent Risk Profile” assessment, and the “Cybersecurity Maturity” assessment. The Inherent Risk Profile assessment measures a financial instuon’s inherent vulnerability to cyberaacks. The Inherent Risk Profile incorporates the type, volume and complexity of the instuon’s operaons across five risk categories through which the instuon’s acvies, products and services are assessed according to risk levels ranging from least inherent risk to most inherent risk. The five categories are: technologies and connecon types; delivery channels; online/mobile products and technology services; organizaonal characteriscs; and external threats. Once the tool idenfies the instuon’s inherent risks and the threats associated with specific products, acvies or services, management will then perform the second assessment. The Cybersecurity Maturity Assessment helps management measure the instuon’s level of risk and corresponding controls. Under this assessment, the cybersecurity operaons of the financial instuon are categorized into five domains, which are evaluated through a series of “assessment factors.” For example, one domain, “Cyber Risk Management and Oversight”, is evaluated by examining the instuon’s governance processes, risk management procedures, employee training pracces and internal resource allocaons. Aſter compleng the Cybersecurity Maturity Assessment, management will assign one of the following maturity levels to each domain: 1. Baseline- the financial instuon adheres to the minimum expectaons required by law and includes primarily client-driven objecves. 2. Evolving- the financial instuon implements addional formalies and documented procedures or policies that are not already required by law. 3. Intermediate- the financial instuon’s cybersecurity system follows detailed, formal processes and the controls are both validated and consistent. Risk management pracces are integrated into a broad comprehensive strategy. 4. Advanced- the financial instuon’s cybersecurity pracces are well integrated across the business. Pracces are automated and connue to improve. 5. Innovave- the financial instuon is an industry leader in cybersecurity processes, development and technologies. For directors and officers, use of this self-assessment tool will assist in developing effecve safeguards to protect their instuons against cyberaacks. WHEN PREPARATION AND PROCESSES FAIL Unfortunately, not all cybersecurity risks can be idenfied and eliminated. In addion to developing effecve controls to protect against cyberaacks, directors and officers should also consider purchasing a specific cybersecurity liability insurance policy (“Cyberpolicy”). Cyberpolicies are not standard components of tradional corporate insurance programs, but such policies provide valuable protecon against financial losses inflicted by successful cyberaacks. Cyberpolicies are relave newcomers to the insurance market and should be tailored to an instuon’s risk profile. Cyberpolicy coverages typically include the following: liability expenses (i.e., defense costs, damages, loss of customer funds, credit monitoring costs, forensic invesgaons and regulatory fines) connected to network security failures, wrongful disclosure of confidenal informaon, regulatory invesgaons and aacks facilitated by a third party vendor; and losses suffered by the instuon as a result of a network related business interrupon. Directors should also review the instuon’s D&O insurance coverage to ensure that it provides appropriate protecons in the event that a cyberaack results in breach of fiduciary duty claims against directors and officers. CONCLUSION The risks posed by cyberaacks are an unfortunate reality in the financial services industry. Financial instuons should use a mulfaceted approach to shield themselves from such risks. Directors and officers should ensure that their instuons are using effecve cybersecurity risk assessment tools to idenfy potenal cybersecurity threats, implement effecve controls to migate such threats and ensure that appropriate insurance coverage is available to protect the instuon and management. OFFICES MACON + ATLANTA cbahotline @ jamesbatesllp.com “General Counsel Corner,” a recurring column featuring legal news and information of interest to CBA members, is brought to you by James-Bates-Brannan-Groover-LLP. Visit us at GeorgiasLawFirm.com Have a topic you would like to see covered in “General Counsel Corner?” Email us at generalcounselcorner @ jamesbatesllp.com FFIEC Assesment Tool Helps Officers and Directors Address Cybersecurity by omas A. Simpson Thomas A. Simpson ASSOCIATE (404) 997-7506 [email protected]

Upload: others

Post on 12-Jun-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: FFIEC Assesment Tool Helps Officers and Directors...For example, one domain, “Cyber Risk Management and Oversight”, is evaluated by examining the institution’s governance processes,

CornerG E N E R A L C O U N S E LFALL 2015

JBJBPRESENTED BY GEORGIA’S LAW FIRM:

legal news and

updates for cba members

Financial institutions are the objects of frequent and sophisticated cyberattacks. The sources of potential cyberattacks have multiplied over the past decade, with threats no longer limited to crafty internet hackers attempting to access customer account information through an institution’s website. For example, sophisticated fraudsters recently have accessed confidential customer information by loading malware onto point-of-sale card readers, by hacking into vendor computer networks and by accessing employee laptops.

The implementation of effective controls to protect against cyberattacks should be a key component of every financial institution’s enterprise risk management plan. A successful cyberattack can be costly, including the costs for customer reimbursement, card reissuances, litigation and fraud monitoring services. Failure to prevent a cyberattack can also damage an institution’s market reputation, attract regulatory scrutiny and raise questions about the board’s competence.

THE FFIEC CYBERSECURITY ASSESSMENT TOOLFinancial institutions are required by law to safeguard confidential customer information. To assist in this endeavor, the Federal Financial Institutions Examination Council has developed a “Cybersecurity Assessment Tool” to be used by FDIC insured depository institutions (www.ffiec.gov/cyberassessmenttool). The Cybersecurity Assessment Tool provides a repeatable and measurable process for institutions to measure their cybersecurity programs. The Cybersecurity Assessment Tool consists of two assessments: the “Inherent Risk Profile” assessment, and the “Cybersecurity Maturity” assessment. The Inherent Risk Profile assessment measures a financial institution’s inherent vulnerability to cyberattacks. The Inherent Risk Profile incorporates the type, volume and complexity of the institution’s operations across five risk categories through which the institution’s activities, products and services are assessed according to risk levels ranging from least inherent risk to most inherent risk. The five categories are: technologies and connection types; delivery channels; online/mobile products and technology services; organizational characteristics; and external threats. Once the tool identifies the institution’s inherent risks and the threats associated with specific products, activities or services, management will then perform the second assessment.

The Cybersecurity Maturity Assessment helps management measure the institution’s level of risk and corresponding controls. Under this assessment, the cybersecurity operations of the financial institution are categorized into five domains, which are evaluated through a series of “assessment factors.” For example, one domain, “Cyber Risk Management and Oversight”, is evaluated by examining the institution’s governance processes, risk management procedures, employee training practices and internal resource allocations. After completing the Cybersecurity Maturity Assessment,

management will assign one of the following maturity levels to each domain: 1. Baseline- the financial institution adheres to the minimum expectations required by law and includes primarily client-driven objectives. 2. Evolving- the financial institution implements additional formalities and documented procedures or policies that are not already required by law. 3. Intermediate- the financial institution’s cybersecurity system follows detailed, formal processes and the controls are both validated and consistent. Risk management practices are integrated into a broad comprehensive strategy. 4. Advanced- the financial institution’s cybersecurity practices are well integrated across the business. Practices are automated and continue to improve. 5. Innovative- the financial institution is an industry leader in cybersecurity processes, development and technologies.

For directors and officers, use of this self-assessment tool will assist in developing effective safeguards to protect their institutions against cyberattacks.

WHEN PREPARATION AND PROCESSES FAILUnfortunately, not all cybersecurity risks can be identified and eliminated. In addition to developing effective controls to protect against cyberattacks, directors and officers should also consider purchasing a specific cybersecurity liability insurance policy (“Cyberpolicy”). Cyberpolicies are not standard components of traditional corporate insurance programs, but such policies provide valuable protection against financial losses inflicted by successful cyberattacks. Cyberpolicies are relative newcomers to the insurance market and should be tailored to an institution’s risk profile.

Cyberpolicy coverages typically include the following: liability expenses (i.e., defense costs, damages, loss of customer funds, credit monitoring costs, forensic investigations and regulatory fines) connected to network security failures, wrongful disclosure of confidential information, regulatory investigations and attacks facilitated by a third party vendor; and losses suffered by the institution as a result of a network related business interruption. Directors should also review the institution’s D&O insurance coverage to ensure that it provides appropriate protections in the event that a cyberattack results in breach of fiduciary duty claims against directors and officers.

CONCLUSIONThe risks posed by cyberattacks are an unfortunate reality in the financial services industry. Financial institutions should use a multifaceted approach to shield themselves from such risks. Directors and officers should ensure that their institutions are using effective cybersecurity risk assessment tools to identify potential cybersecurity threats, implement effective controls to mitigate such threats and ensure that appropriate insurance coverage is available to protect the institution and management.

OFFICESMACON + ATLANTA

cbahotline@ jamesbatesllp.com

“General Counsel Corner,” a recurring column featuring legal news and information of interest to CBA members, is brought to you by James-Bates-Brannan-Groover-LLP. Visit us at GeorgiasLawFirm.com

Have a topic you would like to see

covered in “General Counsel Corner?”

Email us at generalcounselcorner@ jamesbatesllp.com

FFIEC Assesment Tool Helps Officers and Directors Address Cybersecurityby Thomas A. Simpson

Thomas A. Simpsonassociate (404) 997-7506

[email protected]

2011 FFIEC Updated Security Guidance

2014 - FFIEC Home Page FFIEC Course Catalogue v. Introduction This catalogue contains brief descriptions of the examiner training programs offered by the FFIEC Examiner Education Office

2014 Course Catalogue - ffiec

Ffiec presentation

Proyecto implementación CAT- FFIEC FFIEC Club CIO.pdfrecomendada por FFIEC, para las instituciones financieras que están ... PERFIL DE RIESGO ... Es una excelente herramienta para

Insert institution’s name

Credit Card Lending - FFIEC

FFIEC 002 Redlined Report Form Pages for FFIEC 002 ... · FFIEC 002 . Redlined Report Form Pages for FFIEC 002 Revisions . Effective as of the June 30, 2020, Report Date . This draft

FFIEC · 2020-06-20 · Each institution’s Call Report data must be submitted to the FFIEC's Central Data Repository (CDR), an Internet-based system for data collection (, using

FFIEC 101 Instructions

E-Banking Workprogram - FFIEC IT Examination · Web viewEXAMINATION PROCEDURES EXAMINATION OBJECTIVES: EXAMINATION OBJECTIVE: Assess the effectiveness of the institution’s risk management

FFIEC ITBooklet Audit

Institution’s Innovation Council (IIC)

FFIEC Information Security Booklet

FFIEC 031 AND FFIEC 041 CALL REPORT INSTRUCTION BOOK ... · FFIEC 031 and 041 CONTENTS . FFIEC 031 and 041 ii CONTENTS (3-20) LINE ITEM INSTRUCTIONS FOR THE CONSOLIDATED REPORT OF

Institution’s Innovation Council

Management - FFIEC IT Examination Handbook InfoBase · 2015-11-10 · as expanding the institution’s product line to include mobile financial services. • Oversee the adequacy

Testing Your Cyber Incident Response Plan...The FFIEC releases a revised Information Security booklet - FFIEC, September 9, 2016 FFIEC Releases Updates to Cybersecurity Assessment

FFIEC Annual Report 2001

FFIEC Operations Booklet - ISACA used as stand alone processors, support functions, ... risk consistent with the nature and complexity of the institution’s technology

FFIEC Audit Booklet - ISACA

FFIEC ITBooklet Information Security

FFIEC 002 Reporting Seminar Deposits

2013 HMDA EDITS - FFIEC

INSTITUTION’S INNOVATION CELL

Cybersecurity Governance Update: P New FFIEC Requirements · 2015-01-26 · FFIEC Cybersecurity Assessments FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement

FFIEC ITBooklet SupervisionofTechnologyServiceProviders(TSP)

FFIEC Cybersecurity Assessment Tool ver.1.1 to FFIEC IT …//pdf/cybersecurity/FFIEC_CAT... · 2017-06-01 · FFIEC Cybersecurity Assessment Tool ver.1.1 Mapping Baseline Statements

SOLUTION BRIEF Implementing Compliance and Vulnerability ...€¦ · FFIEC Booklet 2016 FFIEC CAT FFIEC Examination Handbook FY15 FISMA Metrics GCGQ 10 Steps HIPAA IEC 62443-3-3-2013

ANNUAL REPORT 1997 - FFIEC

FFIEC 031 Historic Reporting Changes€¦ · FFIEC 031 Historic Reporting Changes Reflects changes made since 2000 Date Description March 2011 FFIEC 031 Schedule RI New Memoranda

Financial Crimes Enforcement Network - FFIEC

FFIEC Operations Booklet - ISACA

Information Security Plan FFIEC

FFIEC Cybersecurity Assessment Tool ver.1.1 to FFIEC … FFIEC IT Examination Handbook May 2017 ... and responsibilities for an enterprise-wide business continuity ... that address