Finance examiners told to bump up compliance content

Members of the US Federal Financial Institutions Examinations Council (FFIEC) are being urged to include cybersecurity in exams sat at more that 500 community institutions, including credit unions, it has been revealed.

A new programme run by PolicyWorks, which is affiliated with the Iowa Credit Union League, is calling for the Office of the Comptroller of the Currency, the Federal Reserve Board, the FDIC, the CFPB and the NCUE to prioritise compliance and security issues in their assessments.

Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance and examiner training,” the FFIEC said in an announcement.

FFIEC examiners now ask about topics including crisis management plans and business impact analyses, job descriptions, IT audit reports and exception tracking, cybersecurity training, physical access controls such as key cards, biometrics and video cameras, network access controls such as patch management and vulnerability assessments, and access by and management of third-party vendors.

FFIEC members will continue to assess the risks of cyberattacks to financial institutions and use the information gathered through a number of sources to determine the appropriate next steps and identify potential gaps in financial supervision,” said the council.

Lindsey Richardson, Compliance Officer at PolicyWorks, welcomed the move. “This is one instance where I hope examiners will find something so we can all come together as an industry to create a more secure environment,” she said. “A few years ago, you would see controls such as dual-factor authentication as a sufficient security program. Nowadays it’s trending toward multifactor authentication, biometrics and more.”

With all the data breaches and the new products and services that are coming out every day, this is definitely an area where more controls are needed,” she added.



Related reading