As highlighted at the Davenport Evans Banking Seminar, regulators are becoming increasingly concerned with the ability of banks to prevent and respond to cyber attacks. During the Seminar, we mentioned that the Federal Financial Institutions Examination Council (FFIEC) had advised that it was developing a “Cybersecurity Assessment Tool” for banks to use in evaluating their risk for a cyber attack and their ability to prevent and respond to such an attack. The Cybersecurity Assessment Tool has now been published by the FFIEC and is available for banks to use in evaluating the Bank’s overall risk for a cyber attack and determining whether the Bank has appropriate policies in place to mitigate such a risk.
The FFIEC is an interagency body consisting of the five federal banking regulators: the Federal Reserve, FDIC, NCUA, OCC, and CFPB that provides common guidance for use by all bank regulators in examinations. Thus, guidance issued by the FFIEC is applied to essentially all financial institutions. Indeed, the OCC has already indicated that it will incorporate the Assessment into its examinations late this year. As such, bank management responsible for cyber security and the bank’s information security programs should begin to familiarize themselves with the Assessment tool immediately.
The Assessment consists of two separate parts. First, the bank completes an “Inherent Risk Profile” assessment (available here) to determine overall exposure to a cyber attack. Second, the bank completes a “Cybersecurity Maturity” assessment (available here) to determine whether the bank has adequate controls to prevent and respond to a cyber attack. Both assessments consist of a list of questions which the bank responds to by selecting which one of five or six statements most accurately describe the bank’s operations.
Use of the Cybersecurity Assessment Tool is in fact just a “tool” and thus not mandatory. That being said, unofficial comments from the regulators indicate that they see the Assessment as being particularly useful for community banks. Moreover, guidance issued along with the Assessment makes clear that the regulators expect both bank management and their boards of directors to be actively involved in addressing cyber security issues. Thus, banks, especially those without an existing cyber security risk-management program, would be wise to document their completion of the assessment and the steps the bank has taken in response thereto. In addition, the results of the assessment and subsequent measures should be shared by management with the board.
Davenport, Evans, Hurwitz & Smith, LLP, located in Sioux Falls, South Dakota, is one of the state’s largest law firms. The firm’s attorneys provide business and litigation counsel to individuals and corporate clients in a variety of practice areas. For more information about Davenport Evans, visit www.dehs.com.