Long gone are the days when a financial institution’s primary security concern was protecting cash in the bank vault, the Federal Deposit Insurance Corporation (FDIC) acknowledges in its recent article, “A Framework for Cybersecurity,” released February 1, 2016. Instead, the framework asserts that cyber-attacks now represent “one of the most critical challenges facing the financial services sector,” and highlights four information security components essential to combating the most common types of cyber-attacks:
- Corporate Governance of Cybersecurity. To effectively combat electronic threats, financial institutions must foster a corporate culture prioritizing cybersecurity. Bank management and the board of directors bear the responsibility of establishing cybersecurity as an “enterprise-wide initiative” spanning all divisions of the financial institution.
- Threat Intelligence. The FDIC framework provides a number of resources available as to help financial institutions gather, analyze, understand, and share information about digital vulnerabilities and threats. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is an information-sharing forum which includes analysis and mitigation strategies relating to information security, disaster recovery, fraud investigations, and payment system risk. The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) focuses on current security issues and provides alerts as well as publications, educational material, and assistance with cyber threats.
- Security Awareness Training. A financial institution’s risk control structure is only as secure as its most careless employee, making cybersecurity awareness training vital to preventing cyber-attacks. Mandatory security training encouraging employees and contractors to adopt the maxim “Think Before You Click” should be implemented company-wide, with role-specific training tailored to individual departments.
- Patch-Management Programs. Regular software updates (patches) addressing known security weakness and vulnerabilities in computer applications and operating systems can significantly reduce the number of security incidents faced by a financial institution. The FDIC suggests that an “effective patch-management program should include written policies and procedures to identify, prioritize, test, and apply patches in a timely manner.”
The FDIC framework includes additional resources for financial institutions wishing to improve cybersecurity and is available online here.