Pub. 9 2014-2015 Issue 2

www.nebankers.org 16 Extraordinary Service for Extraordinary Members. N OT LONG AGO, THE FEDERAL Financial Institutions Ex- amination Council (FFIEC) announced and began its examination pilot program for cyber- security activities, reviewing more than 500 community financial institutions as part of its summer examination cycle. The FFIEC says the purpose of this pilot program is to “assess how community financial institutionsmanage cybersecu- rity and their preparedness to mitigate increasing cyber risks.” So, why the need for more guidance? Shouldn’t our information security program address cyber attacks? Well, it could, but do you know of many institu- tions that are fully prepared to address a cybersecurity incident, regardless of A Renewed Focus on Cybersecurity Leticia Saiid, Security+, CoNetrix TECH TALK what the incident may be? Probably not. Regardless of our desire for security, we are typically two steps behind attackers because they are the inventors of the attacks. The new focus on cybersecurity is greatly directed toward improving the financial institution culture regarding cybersecurity, making it into a culture of corporate awareness and expectancy. You may notice that the FFIEC has em- phasized a top-down structure, starting with the education of CEOs, through their informational webinar back in May. CEOs were encouraged to be big- ger players in the cybersecurity sphere, due to the fact that every employee should be sensitive to the realities of cybersecurity. Admittance is the first step to recovery. With the increased customer de- mand for new technologies, cybersecuri- ty threats are exponentially increasing in number and in sophistication. Attackers now include nation-states, hacktivists, organizational criminals, and evenmali- cious insiders. The motivations behind these attacks are even more diverse. It’s not just about the money; it’s about the message. And the one message that is present, regardless of the attacker’s intention, is that customers cannot have confidence in the financial system. The loss involved is larger than money and larger than your institution. It is an at- tack on the sustainability of the system. But enough scare tactics… You can do something about this. Yes, you, the small (or medium-sized) community institution. In some ways, you’re more capable of protecting yourself than larger institutions be- cause you’re dealing with less complex systems, thus you have fewer points of vulnerability. As of yet, no official FFIEC guidance exists regarding how your financial institution shouldmanage its cybersecurity risk, but the current National Institute of Standards and Technology (NIST) framework has been pointed to as a likely candidate for an adopted cybersecurity framework.