The Federal Financial Institutions Examination Council (FFIEC)—the interagency body tasked with setting uniform principals and standards for the examination of financial institutions by federal prudential regulators, including the Consumer Financial Protection Bureau—has issued revised guidance to help financial institutions manage security risks and to explain how examiners will review their information security programs. Financial institutions should carefully assess to what extent their internal protocols and controls conform to the new expectations articulated by the FFIEC and take immediate steps to implement measures to enhance existing information security programs to reflect the new standards.
The guidance updates the July 2006 version of the FFIEC’s Information Security booklet, which is incorporated into the FFIEC’s Information Technology Examination Handbook. The revised booklet directs financial institutions to focus on specific factors that the FFIEC believes are necessary to assess the level of security risks to a financial institution’s information systems. The revisions to the booklet, which are consistent with the FFIEC Cybersecurity Assessment Tool and the NIST Cybersecurity Framework, describe how a financial institution may establish an effective information security program by addressing each of the following phases of the information life cycle:
The booklet contains updated examination procedures to help examiners measure the adequacy of an institution’s culture, governance, information security program, security operations, and assurance processes. Generally, financial institutions should maintain effective information security programs commensurate with their operational complexities, and such programs should be assessed and refined on an ongoing basis. In addition, because of the frequency and severity of cyberattacks, the FFIEC has placed an increasing focus on cybersecurity controls, a key component of information security.
The booklet outlines four broad assessments that examiners will consider with regard to a financial institution’s information security program:
-
Effective corporate governance through an established information security culture, clearly defined information security responsibilities, accountability throughout the institution, and providing adequate resources to support the information security program;
-
Specific information security program management policies and procedures that identify threats, measure risk, define information security requirements, and implement controls; integrates with lines of business and support functions in which risk decisions are made; and integrates third-party service provider activities;
-
Strong security operations, which should be broadly scoped to address all ongoing security-related functions, guided by defined processes, integrated with lines of business and third parties, and appropriately staffed and supplied with technology for continual incident detection and response activities; and
-
Testing for overall information security program effectiveness, including self-assessments, tests, and audits with appropriate coverage, depth, and independence; aligning personnel skills and program needs; and establishing and implementing a reporting process that includes the assembly and distribution of assurance reports that are timely, complete, transparent, and relevant to management decisions.
Additionally, because financial institutions may outsource some or all of their IT-related functions, the booklet directs examiners to evaluate the duties, obligations, and responsibilities of any third-party service providers regarding information security and the oversight exercised by the financial institution.
As with the FFIEC’s recent guidance regarding mobile financial services (as discussed in our prior alert), the booklet should be considered an essential resource for financial institutions in maintaining information security.
