An interagency council of five banking regulators, including the Federal Reserve Board of Governors, released a tool to help financial institutions assess their cybersecurity posture.
The Federal Financial Institutions Examination Council’s tool helps businesses that conduct transactions like investments, loans and deposits determine what cybersecurity risks they face and how strong their safeguards are.
The council, which also includes the Federal Deposit Insurance Corp., National Credit Union Administration, Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau, has been working on the tool for more than a year after launching a pilot in June 2014 for 500 member institutions.
Built using NIST’s cybersecurity framework, the tool calls for financial institutions to take an enterprisewide approach to instilling cybersecurity in their organizations. In particular, it emphasizes the need to re-evaluate the company’s posture whenever a product, service or initiative is launched.
The first part of the assessment asks companies to examine the risk associated with technologies and connection types, delivery channels, online and mobile-based products, organizational characteristics, and external threats. The second part is dedicated to measuring the following areas: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience.
The council hopes the toolkit helps institutions determine how they need to grow their defenses as their business changes. A user guide published with the toolkit stressed that security assessments are not a one-time measure but need to be done continuously.
‘An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change,’ the guide reads. ‘Thus, management should consider reevaluating its inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.’
Banks have been targeted in a wave of cyber attacks in America in the past year. In October, JPMorganChase reported it had a breach that affected 76 million households and 7 million small businesses.
Visit the council’s website to find the toolkit, or watch a video on the tool below.