Headlines like “Target Offers $10M in Data Breach Settlement” should scare any financial institution into reevaluating the strength of its cybersecurity program. Immediately after the security breach, Target released a statement reporting, “as many as 40 million credit and debit card accounts may be impacted.”
Data breaches cost financial institutions far more than debit and credit card holder reimbursements. They also compromise customer and shareholder confidence and trust. Ever hear of a ‘run on the bank?’ While FI’s are aware of the evolving cyber-threat landscape, cybersecurity plays a prominent role in new regulatory mandates. For example, the New York Department of Financial Services (NYDFS) is adding cybersecurity scrutiny to its audits and examinations. The Department plans to review the reliability of a financial institution’s cybersecurity incident response and event management, access controls, network security, vendor management and disaster recovery procedures.
The change in NYDFS policy was predicated by a 2015 survey the department conducted in which 150 depository institutions reported these findings:
- Most manage IT internally, relying on vendors for a small percentage of work
- Corporate governance around cybersecurity tends to be highly IT-centered at 92%
- A majority have the basic key pillars of an information security framework:
- Written information security policies
- Security awareness education and employee training
- Some cyber-risk management
- Information security audits
- Incident monitoring and reporting
- Many also diversify security technology platforms including:
- Anti-virus software and spyware/malware detection
- Firewalls and data/file encryption
- Server-based access control lists
- Intrusion detection tools and prevention systems
- Vulnerability scanning tools
- Penetration tests are usually conducted annually
In light of the escalation and sophistication of cyber-attacks, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool in June of 2015. This helps FI’s identify cyber risks and determine cybersecurity maturity. The Assessment is two-part: Inherent Risk Profile and Cybersecurity Maturity.
The Inherent Risk Profile identifies your FI’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. Reviewing both of these parts can determine whether your FI’s maturity levels are balanced with your inherent risk.
In response to the FFIEC’s Cybersecurity Assessment Tool Ncontracts offers Ncyber, which saves our clients time, money, and stress. Ncyber is a configurable software solution that provides an exact, online replication of the FFIEC’s tool. The click-n-go format walks you through the process of identifying inherent cyber risks and determining cybersecurity maturity. Ncyber also features a reporting dashboard for easy tracking and updating as your risk profile and cybersecurity maturity change.
If you would like to learn more about the FFIEC’s Cybersecurity Assessment Tool and Ncontracts’ solution, we invite you to visit our Ncyber product page today.