By J. Preston Carter, J.D., LL.M.
As part of its Community Banking Initiative, the Federal Deposit Insurance Corporation is adding to its cybersecurity awareness resources for financial institutions. The additions include a Cybersecurity Awareness video and three new video vignettes for the Cyber Challenge, which consists of exercises that are intended to encourage discussions of operational risk issues and the potential impact of information technology disruptions on common banking functions.
Operational risks. In a letter to its supervised institutions (FIL-55-2015), the FDIC noted that community financial institutions may be exposed to operational risks through internal or external events ranging from cyber attacks to natural disasters. Operational risks, it said, can threaten an institution's ability to conduct basic business operations, impact its customer service, and tarnish its reputation.
Resource Center. To help community financial institutions assess and prepare for these risks, the FDIC is incorporating new tools in its Directors' Resource Center. This part of the FDIC's website is dedicated to providing useful information and resources for directors and officers of FDIC-insured institutions. The content of this page focuses on guidance and other information that address current issues faced by the banking industry.
Video. The two-part Cybersecurity Awareness Directors’ College video series provides an overview of the threat environment and steps community financial institutions can take to be better prepared should a cyber attack occur. It is designed to assist bank directors with understanding cybersecurity risks and related risk management programs, and to “elevate cybersecurity discussions from the server room to the board room.” The two parts are:
- Evolution of Data Security, Cybersecurity, and Threat Environment; and
- Information Security Programs Refocused, Cybersecurity Assessment Tool, and Additional Resources.
Cyber Challenge. Cyber Challenge facilitates discussion between financial institution management and staff about operational risk issues. The exercises are designed to provide valuable information about an institution’s current state of preparedness and identify opportunities to strengthen resilience to operational risk.
Using seven video scenarios, the Cyber Challenge helps start an important dialogue among bank management and staff about ways they address operational risk today and techniques they can use to mitigate this risk in the future. The Cyber Challenge is not a regulatory requirement; it is a technical assistance tool designed to help assess operational readiness.
The first four Cyber Challenge videos and supporting discussion materials were released in early 2014. Now numbering seven, each video vignette depicts a unique scenario. The challenge questions for each vignette are designed to help bank management and staff think about how they would respond to the scenarios. Also included are lists of reference materials participants can turn to for more information. The seven scenarios are:
- Item Processing Failure: A new item processing service provider cannot process the volume of transactions generated by the bank.
- Customer Account Takeover: Unauthorized withdrawals are detected in a corporate customer’s account.
- Phishing and Malware Problem: Phishing email is opened by a bank employee, and the bank’s network is infected with malware.
- Technology Service Provider Problem: Problems occur after the financial institution’s service provider performs an update.
- Ransomware: A cyber-attack has taken place. Word processing files are being held for ransom.
- ATM Malware: An ATM virus reveals deficiencies in a bank’s service provider contract.
- DDoS as a Smokescreen: While the IT manager investigates a possible DDoS attack, a second attack exfiltrates data from the institution.
For more information about cybersecurity awareness for financial insstitutions, subscribe to the Banking and Finance Law Daily.
