The Federal Financial Institutions Examination Council (FFIEC) recently revised their Information Security Booklet. This moves the financial services industry one step closer to defining clear cybersecurity and data protection protocols to ensure regulatory compliance and furthers the implementation effort of the cybersecurity tool the FFIEC announced in June of 2013. The booklet is one of 11 which together comprise the FFIEC IT Handbook. The FFIEC states that the “updates include the removal of redundant management material and a refocus on IT risk management and an update of information security processes. The revision reflects changes in the industry … The updates are consistent with the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST Cybersecurity Framework as appropriate. The booklet contains updated examination procedures to help examiners measure the adequacy of an institution’s culture, governance, information security program, security operations and assurance processes.”
Special focus should be paid to the updated Appendix A, which was published as guidance for your regulator’s field examiners to assess the level of security risks to your institutions information systems and the adequacy of your information security program’s integration into overall risk management. The following 11 objectives are listed for said examiners within the appendix, but objectives two through 10 can be used as internal guidance to assess your own program:
- Determine the appropriate scope and objectives for the examination.
- Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability and adequate resources to support the program.
- Determine whether management of the information security program is appropriate and supports the institution’s ITRM process, integrates with lines of business and support functions and integrates third-party service provider activities with the information security program.
- As part of the information security program, determine whether management has established risk identification processes.
- Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
- Determine whether management effectively implements controls to mitigate identified risk.
- Determine whether management has effective risk monitoring and reporting processes.
- Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers and have adequate resources (e.g., staff and technology).
- Determine whether management has an effective information security program.
- Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
- Discuss corrective action and communicate findings.
The entire booklet should be studied, understood and utilized by your IT, compliance and risk and audit operations in order to have your institution’s compliance management system reflect the strongest integration of cyber and data security controls. This approach will not only allow your institution to avoid the regulatory risk that is associated with findings and/or fines in this space, but will position you to limit your litigation exposure in the event of a data breech through your ability to show pre-existing robust policies and procedures to limit risk as much as possible.
It’s also important to note that the FFIEC is comprised of a Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB). Certain institutions look at cybersecurity and data protection as a safety and soundness issue and only see regulatory exposure through the prudential regulators; but that would be a mistake, as the CFPB can just as easily utilize these protocols within a consumer regulatory exam. As we saw earlier this year in the CFPB’s action against Dwolla, Inc. they are reviewing data security controls as well. If you have any questions regarding data security best practices, please contact any of the attorneys in Baker Donelson’s Privacy and Information Security practice group.