Compliance Blog

Written by JiJi Bahhur, Director of Regulatory Compliance

FFIEC Cybersecurity Best Practices. Earlier this week, the Federal Financial Institutions Examination Council (FFIEC) released observations from a recent cybersecurity assessment.  The “FFIEC Cybersecurity Assessment General Observations” suggests best practices to consider when assessing institutions’ cybersecurity preparedness. 

Divided into two main categories, the first part of the assessment discusses cybersecurity inherent risk, defining it as “the amount of risk posed by a financial institution’s activities and connections, notwithstanding risk-mitigating controls in place.”  Some questions to consider when assessing the level of cybersecurity inherent risk within the institution include:

• What types of connections (e.g., virtual private networks, wireless networks, telnet, etc.) does my financial institution have?
• How are we managing these connections in light of the rapidly evolving threat and vulnerability landscape?
• Do we need all of our connections?  Would reducing the types and frequency of connections improve our risk management?
• How do we evaluate evolving cyber threats and vulnerabilities in our risk assessment process for the technologies we use and the products and services we offer?
• How do our connections, products and services offered, and technologies used collectively affect our financial institution’s overall inherent cybersecurity risk?

The second part of the assessment reviews financial institutions’ current practices and overall preparedness, focusing on:

• Risk management and oversight;
• Threat intelligence and collaboration;
• Cybersecurity controls;
• External dependency management; and
• Cyber incident management and resilience.

As part of the assessment, the FFIEC also recommended that regulated financial institutions, including credit unions, participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities.  The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.    

And last, as a result of the assessment, the FFIEC mentions in its assessment that it is reviewing and updating current guidance to align with changing cybersecurity risk.  To see the assessment in its entirety, including other questions to consider when managing cybersecurity at your credit union, click here. 

***

Free Webcast. Digital Commerce: The Future is Here!

Emerging payments technologies such as Apple Pay can level the playing field with your biggest competitors. Stay relevant in the face of dynamic change; attend this webcast to learn how different payments options work and how to best implement them in your credit union. MasterCard’s Vice President of Emerging Payment Solutions, Rita Ramirez will provide you with the information you need to begin taking advantage of the exciting new changes in payments technologies. Free for NAFCU members and nonmembers!

***

Thing 1 and Thing 2.  This year for Halloween, I decided to be creative and make my kids’ wigs from scratch for their Halloween costumes.  I’d say I did pretty darn well!  Toot, toot!