As Cybersecurity Awareness Month wrapped up last week, we wrote about how big banks are encouraging law firms and third-party vendors to close the gaps in their security programs to avoid being targets of cyber criminals. We also noted how the Federal Financial Institutions Examination Council (FFIEC) suggested that small banks in particular take steps to reduce the risk of DDoS attacks.
After assessing potential security gaps in 500 community banking institutions (defined as those having $1 billion or less in assets), the FFIEC is now updating its Cybersecurity Guidance.
The update makes the following recommendations:
- Engage your board of directors and senior management to ensure they understand cybersecurity risks;
- Include cybersecurity issues in meetings;
- Maintain situational awareness of threats and vulnerabilities throughout the organization;
- Establish and maintain a dynamic control environment;
- Manage connections with and to third parties; and
- Develop and test business continuity and disaster recovery plans that incorporate cyber-incident scenarios.
In addition to the updated guidance, the FFIEC stressed the importance of community banks maintaining their situational awareness by using information sharing such as FS-ISAC. As Avivah Litan from Gartner noted, “Collaboration and sharing threat intelligence greatly increases the chances individual banks have of mitigating risk. The criminals typically attack multiple financial institutions using the same techniques, attack servers and malware. The bad guys are definitely collaborating and cross-pollinating – and so should the good guys.”
Besides information sharing, the November 3 statement also discusses the need for cybersecurity preparedness and incident management. No matter the size of bank or type of third party vendor working with banks, regulatory organizations are stressing the need for tighter cybersecurity measures.