On June 24, 2014, in response to the “increasing volume and sophistication of cyber threats,” the Federal Financial Institutions Examination Council (“FFIEC”) began a month-long cyber-security assessment of 500 community financial institutions and credit unions. Announcing what it dubbed a “pilot program,” the FFIEC—a formal, interagency body made up of the FRB, FDIC, NCUA, OCC, and CFPB—explained that the upcoming cyber-security assessments would be conducted as part of regularly scheduled examinations. Aside from assessing existing supervisory expectations, FFIEC examiners will assess the threat environment in which institutions find themselves—defined as “types of communication connections and payments initiated, as well as how the institution manages its information technology products and services”—as well as each institution’s current threat preparedness.
The purpose of FFIEC’s assessment appears to be two-fold. First, the FFIEC wants to determine, based on the threats they face, whether financial institutions are prepared. To that end, if examiners find deficiencies, they will report those deficiencies to the financial institution for remediation. In its assessment overview (available here), FFIEC noted that the assessment “does not impose new expectations for institutions, [and it will not] result in any new examination rating.” Second, the assessment will provide FFIEC with a global view of the threat landscape and preparedness of community financial institutions. How the FFIEC will use this information is less clear, but it may well lead to guidance on cyber security for financial institutions.
At the heart of this assessment is the Framework for Improving Critical Infrastructure Security recently published by the National Institute of Standards and Technology. The framework, as well as information about it, is available on the NIST website, accessible here. In brief, the NIST framework offers a dynamic method of addressing cyber-security threats—it is a way of thinking about cyber-security as opposed to a set of hard-and-fast rules. As a result, in evaluating each institution’s level of preparedness, FFIEC will examine the institution’s “risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.”
The FFIEC is not the lone regulatory body taking an interest in cyber security. For example, in March 2014, the SEC held a roundtable (roundtable videos can be found here) to discuss cyber-security issues related to market participants, and, on November 18, 2013, DOD promulgated a final rule regarding cyber-security preparedness for all defense contractors and subcontractors. See 78 Fed. Reg. 69273 (Nov. 18, 2013).
At this point, it is not clear whether larger banks will have to go through similar assessments. FFIEC has made clear that the assessments are “part of a FFIEC cybersecurity awareness initiative that covers institutions of all sizes and complexity,” but that FFIEC was focusing on community institutions to “provide additional support to community banks, which may not have access to the resources available to larger institutions.” Aside from greater resources, many larger institutions also have more experience with cyber-security issues, through, for example, participation in the Financial Services Information Sharing and Analysis Center (FS-ISAC). Whether the FFIEC requires cyber-security assessments for all institutions or not, it is sending a clear signal that all financial institutions need to take cyber-security issues seriously.