On June 24th, the FFIEC announced that they not only launched a new webpage on cybersecurity, but are also initiating a pilot program for 500 member community institutions that will focus on how these institutions manage cybersecurity and how prepared they are to mitigate cyber risks. Specifically, the press release states:
“Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance, and examiner training.”
The need for this level of regulatory effort is obvious, though not necessarily new to the world of finance. Just last year the United Kingdom ran its seventh test on the financial sector and a few months before, in July, some New York Wall Street banks initiated their own tests run by Securities Industry and Financial Markets Association (SIFMA). It is, however, promising to see industry recognition that the risks on financial institutions are significant and increasing.
Take for example the incidence of data loss as noted by the 2014 Verizon Data Breach Report and below in figure 1. The report itself states that there are other industries that far exceed the financial sector in terms of overall security incidents, but no other industry surpasses the financial sector for the number of total incidents where data was actually confirmed lost.
Figure 1- 2014 Verizon Data Breach Report
What I have found interesting for years is the level of security implementation I find in some small institutions versus that of larger institutions. While I find large institutions knowledgeable about risk and security needs, it’s often the smaller banks that move the fastest toward adoption of advanced security controls. Some of my earliest customers were small local banks, credit unions and clearinghouses that recognized new threats and more importantly had an organizational size that made implementation immediately feasible and manageable. The larger the institution the more difficult it can be to implement new controls, especially across multiple business units in geographically distant locations, which often leads to cases where the risks can seem too big to fix, and hence, go unmitigated.
This is why I am eager to see more of this type of industry assessment, which helps bring awareness, and in some cases re-awareness, within the member organizations of critical risks that are highly targeted, but possibly not yet mitigated or monitored.
I’m sure the FFIEC are as interested as I am to know how well the small and medium member’s cybersecurity controls compare to those of larger organizations. With 500 banks in the program, the results are certain to be a mixed bag, though the immediate value as I see it, will be to the member institutions. These types of tests and their results often lend weight to security projects that need reprioritization.