Coming on the heels of the business resiliency guidance of third party service providers released in February, the FFIEC issued a press release last Tuesday detailing their focus for the remainder of 2015 on Cybersecurity. This is in addition to the discussion of Cybersecurity Resiliency within the just released Appendix J to the IT Examination Handbook series. The pilot cybersecurity assessment completed in 2014 by the FFIEC with 500 institutions has led them to detail multiple efforts to help the industry self-assess and prepare for cybersecurity threats.
We see three key issues coming from this press release:
1. A cybersecurity self-assessment tool is being finalized to allow FIs to evaluate their own cybersecurity posture. We would predict that once this tool is released, this will become an important future exam element, and will likely need to be integrated into all measures of operational risk measurement, including services received from third party providers, and risk rated within solutions such as VendorINSIGHT®.
2. The press release notes that they are not yet done with guidance as it relates to third parties. Specifically the FFIEC will “expand their focus on technology service providers’ cybersecurity preparedness.” As was addressed with the updates to our software solutions in February on Business Resilience, we would expect continuing updates to our VendorINSIGHT® and BCP-Insight™ solutions to keep pace with best practices and guidance.
3. IT Governance expectations will increase. Per the press release, the FFIEC “will enhance their incident analysis, crisis management, training, and policy development” which likely means this expansion and coordination at the regulatory level will end up in the policy and procedure guidance for deployment within your organizations, and overseen by management and the board.
We applaud the FFIEC for getting this critical element of security and risk to the forefront and leading the key partnering between the public and private sector. We are not surprised, as we had provided earlier commentary in our blog entry in June of 2014. Stay tuned into Channel VendorINSIGHT and we’ll keep you abreast of how our systems will continue to evolve to meet these new requirements as they are announced.