Members of the US Federal Financial Institutions Examinations Council (FFIEC) are being urged to include cybersecurity in exams sat at more that 500 community institutions, including credit unions, it has been revealed.
A new programme run by PolicyWorks, which is affiliated with the Iowa Credit Union League, is calling for the Office of the Comptroller of the Currency, the Federal Reserve Board, the FDIC, the CFPB and the NCUE to prioritise compliance and security issues in their assessments.
“Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance and examiner training,” the FFIEC said in an announcement.
FFIEC examiners now ask about topics including crisis management plans and business impact analyses, job descriptions, IT audit reports and exception tracking, cybersecurity training, physical access controls such as key cards, biometrics and video cameras, network access controls such as patch management and vulnerability assessments, and access by and management of third-party vendors.
“FFIEC members will continue to assess the risks of cyberattacks to financial institutions and use the information gathered through a number of sources to determine the appropriate next steps and identify potential gaps in financial supervision,” said the council.
Lindsey Richardson, Compliance Officer at PolicyWorks, welcomed the move. “This is one instance where I hope examiners will find something so we can all come together as an industry to create a more secure environment,” she said. “A few years ago, you would see controls such as dual-factor authentication as a sufficient security program. Nowadays it’s trending toward multifactor authentication, biometrics and more.”
“With all the data breaches and the new products and services that are coming out every day, this is definitely an area where more controls are needed,” she added.
Despite the data protection regulation being implemented in 2018, 69% of IT decision makers don’t have the backing of their board to achieve GDPR compliance, according to Calligo.
The majority of the region’s 28 member states report that the situation has worsened over the past year, reports business management consultant Verisk Maplecroft.
Regulators in the UK, the US and Hong Kong instituted proceedings against more than 1,700 individuals last year, or four times the number of cases brought against companies.
The US Commodity Futures Trading Commission approved LedgerX as the first regulated clearing house for derivatives contracts settling in digital currencies.