WASHINGTON — Federal regulators released a document summarizing their general findings from recent cybersecurity assessments at community-size financial institutions.
The Federal Financial Institutions Examination Council piloted cybersecurity checkups at more than 500 smaller institutions over the summer to gauge their preparedness for dealing with online threats.
The agencies on Monday shared "general observations" from the reviews, while also recommending that regulated institutions "of all sizes" participate in a private-sector group — the Financial Services Information Sharing and Analysis Center — that specializes in sharing information about cybersecurity threats.
"Rapidly evolving cybersecurity risk reinforces the need for all institutions and their critical technology service providers to have appropriate methods for monitoring, sharing, and responding to threat and vulnerability information," the agencies said. (The FFIEC includes the Federal Reserve Board, Federal Deposit Insurance Corp., National Credit Union Administration, Office of the Comptroller of the Currency and Consumer Financial Protection Bureau.)
The themes gathered from the assessments included that there is significant variance in the inherent risk across institutions, cybersecurity risk management benefits when employees participate in regular training programs and keeping "event logs" can improve "the financial institution's ability to understand trends, react to threats, and improve reports to management and the board."
"It is important for management to understand the financial institution's inherent risk to cybersecurity threats and vulnerabilities when assessing cybersecurity preparedness," the regulators said. "Cybersecurity inherent risk is the amount of risk posed by a financial institution's activities and connections, notwithstanding risk-mitigating controls in place."
The document also contained questions that chief executives and boards should consider asking in assessing their institutions' preparedness, including what are a bank's "connections" that can open it up to cybersecurity risks, how to ensure employee awareness and who at the bank is responsible for maintaining relationships with law enforcement. The recommended questions also touched on how executives can scrutinize third-party relationships.