As Cybersecurity Awareness Month wrapped up last week, we wrote about how big banks are encouraging law firms and third-party vendors to close the gaps in their security programs to avoid being targets of cyber criminals. We also noted how the Federal Financial Institutions Examination Council (FFIEC) suggested that small banks in particular take steps to reduce the risk of DDoS attacks.
After assessing potential security gaps in 500 community banking institutions (defined as those having $1 billion or less in assets), the FFIEC is now updating its Cybersecurity Guidance.
The update makes the following recommendations:
- Engage your board of directors and senior management to ensure they understand Cybersecurity: A set of security techniques that are designed to protect the integrity of computer systems, programs and data from theft and damage to their hardware, software or other information as well as the disruption and misappropriation of their services. LookingGlass Cyber (n) - Professional paid ninjas who protect the cyber world from cyber attacks. Everybody is doing it, but we have the double black belt with the Versace logo. So yeah, we’re really good. risks;
- Include cybersecurity issues in meetings;
- Maintain situational awareness of threats and vulnerabilities throughout the organization;
- Establish and maintain a dynamic control environment;
- Manage connections with and to third parties; and
- Develop and test business continuity and disaster recovery plans that incorporate cyber-incident scenarios.
In addition to the updated guidance, the FFIEC stressed the importance of community banks maintaining their situational awareness by using information sharing such as FS-ISAC. As Avivah Litan from Gartner noted, “Collaboration and sharing Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... greatly increases the chances individual banks have of mitigating risk. The criminals typically attack multiple financial institutions using the same techniques, attack servers and Malware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs.. The bad guys are definitely collaborating and cross-pollinating – and so should the good guys.”
Besides information sharing, the November 3 statement also discusses the need for cybersecurity preparedness and incident management. No matter the size of bank or type of third party vendor working with banks, regulatory organizations are stressing the need for tighter cybersecurity measures.