The Federal Financial Institutions Examination Council (FFIEC) recently revised its Information Security Booklet. The changes bring the financial services industry closer to the goal of having a clearly defined set of cybersecurity and data protection protocols to ensure regulatory compliance. The booklet is one of 11 which together comprise the FFIEC IT Handbook. Special focus should be paid to the updated Appendix A which was published as guidance for field examiners of the financial services regulators to assess the level of security risks to an institution’s information systems and the adequacy of an information security program’s integration into an institution’s overall risk management.
The Appendix lists 11 objectives for examiners to utilize, however eight of these objectives can be used as internal guidance to assess a program and devise a set of best practices to structure policies and procedures to form a strong, compliant approach to data security ahead of any examination.
Objective: Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
To accomplish this objective, the examiner will be looking to whether a board and management understand and support information security and provide appropriate resources for the implementation of an effective security program. For example, are you appropriately staffed with personnel who have knowledge of technology standards, practices and risk methodologies, or did you simply place the responsibility of data security under an existing role held by someone with no experience with the risks involved? Reoccurring training to prepare all staff for their short- and long-term security responsibilities is also necessary to fulfill this objective.
Objective: Determine whether management of the information security program is appropriate and supports the institution’s information technology risk management (ITRM) process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program.
To adhere to this listed objective, an institution should ensure that its security policies, standards, enforcement mechanisms, and procedures are uniform across all lines of business. For example if your lines of business are siloed, your ITRM process and those who run the function should be structured as a cross line of a business team that is tasked with ensuring the conformity of policies and procedures across each line of business. Many times, institutions allow the tailoring of each policy within a certain line of business, which increases the risk for one line of business and deteriorates effectiveness of the overall ITRM process.
Objective: As part of the information security program, determine whether management has established a risk identification process.
To accomplish this goal your institution should have: a recurring threat assessment (both internal and external) to focus the risk identification effort; a method to classify and categorize threats and vulnerabilities; a process to determine your institution’s information security risk profile (the FFIEC’s own Cyber Security Tool can accomplish this); and a validation of the risk identification process through audits, self-assessments, penetration tests and vulnerability assessments.
Objective: Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
To meet this objective you can ask the following questions: 1) do you incorporate legal and regulatory requirements; 2) do you seek to improve consistency in risk measurement; 3) does your team highlight potential areas for mitigation or do they act as strictly from a reactionary standpoint; and 4) do you allow for comparisons among different threats, events, and potential mitigating controls through reporting or remediation decisions.
Objective: Determine whether management effectively implements controls to mitigate identified risk.
Examiners are tasked with a large amount of focus on this objective and special attention should be paid to what the examiners are looking at to determine compliance. The examiners’ attention will focus on, but in no way are limited to:
- Is your information security policy annually reviewed and approved by the board?
- Do you continually assess the capability of technology needed to sustain an appropriate level of information security based on the size, complexity, and risk appetite of your institution?
- Are your policies, standards and procedures sufficient in scope and depth to guide information security-related decisions? For example, are they appropriately implemented and enforced? Do they delineate areas of responsibility? Are they communicated in a clear and understandable manner? Are they reviewed and agreed to by employees? Are they appropriately flexible to address changes in the environment?
- Do you have appropriate physical security controls to protect its premises and more sensitive areas, such as its data center(s)?
- Does management plan for the life cycles of the institution’s systems, eventual end of life, and any corresponding business impacts?
- Has management implemented defense-in-depth to protect, detect and respond to malware?
- Does management develop customer awareness and education efforts that address both retail (consumer) and commercial account holders?
These are only a few of the actions examiners will be looking for to fulfill this objective. At a minimum, a thorough read of this objective and a cross-check of its guidance against an institution’s controls should be performed.
Objective: Determine whether management has effective risk monitoring and reporting processes.
Do the risk monitoring and reporting processes address the changing threat conditions in both an institution and the industry as a whole? Make sure they are not static and are updated regularly. Do the processes address information security events faced by the institution, the effectiveness of management’s response, and the institution’s resilience to those events? The reporting process should also include a timely and consistent method of disseminating the reports to appropriate members of the management team in order for them to act on them, if necessary. Finally do these reports spur action from management? An institution should be able to document instances where this reporting successfully identified and remediated possible threats.
Objective: Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology).
To comply with this objective, an institution’s operations should include the following: 1) Security software and device management (e.g., maintaining the signatures on signature-based devices and firewall rules); 2) Forensics (e.g., analysis of potentially compromised systems); 3) Vulnerability identification (e.g., operation or supervision of vulnerability scans, self-assessments, penetration tests, and analysis of audit results); 4) Vulnerability cataloging and remediation tracking; 5) physical security management (e.g., CCTV, guards, and badge systems); 6) law enforcement interface (e.g., data retention and lawful intercepts); 7) third-party integration (e.g., managed security services and incident detection services); 8) monitoring of network, host and application activity; 9) threat identification and assessment; 10) Incident detection and management; and 11) enforcement of access controls.
Objective: Determine whether management has an effective information security program.
Here, an institution must be able to showcase that its information security program is subject to periodic review and whether management provides for continual improvement in the program’s effectiveness. For example, are you reviewing the program in its current environment, not just the environment when the program was initiated? Also, can you demonstrate that lessons learned from experience, audit findings, risk reporting and other opportunities for improvement are identified and applied to your program? Are you learning and becoming stronger from your experiences?
Objective: Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
To comply with this objective, an institution should be doing things such as using independent organizations to test aspects of the information security programs. You should also be able to document that self-assessments, penetration tests, vulnerability assessments, and audits are used to support management decision making. In other words, does management take your data security functions seriously and do they act on the recommendations given?
The above recommendations on how to approach the fulfillment of the appendix’s objectives are in no way a complete list of all the best practices that examiners will be looking for, but they can provide a good litmus test to determine where your institution stands from a regulatory perspective. The entire booklet should be studied and utilized by your IT department and your compliance, legal, risk and audit operations should also be aware and understand its contents in order to have your institution’s compliance management system reflect the strongest integration of cyber and data security controls.
This approach will not only allow your institution to avoid the regulatory risk that is associated with findings and/or fines in this space, but will position you to limit your litigation exposure in the event of a data breech through your ability to show pre-existing robust policies and procedures designed to limit risk as much as possible. It’s also important to note that the FFIEC is comprised of a Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB).
Certain institutions look at cybersecurity and data protection as a safety and soundness issue and only see regulatory exposure through the prudential regulators. But that would be a mistake as the CFPB can just as easily utilize these protocols within a consumer regulatory exam. We saw earlier this year in the CFPB’s action against Dwolla, Inc. that they are reviewing data security controls as well.
In Dwolla, the CFPB cited its authority under Unfair, Deceptive, or Abusive Acts and Practices (UDAAP) to bring a claim against Dwolla around their data security procedures. The Bureau fined Dwolla $100,000, but went on to require the company to: 1) adopt and implement reasonable and appropriate data-security measures to protect consumers’ personal information; 2) establish, implement and maintain a written, comprehensive data security plan that is reasonably designed to protect the confidentiality, integrity and availability of sensitive consumer information; 3) adopt and implement reasonable and appropriate data-security policies and procedures; 4) designate a qualified person to coordinate and be accountable for the data-security program; 5) conduct data-security risk assessments twice annually and evaluate and adjust the data security program as needed; 6) conduct regular, mandatory employee training; 7) develop, implement and update, as required, security patches to fix any security vulnerabilities identified in any Web or mobile application; and 8) develop, implement and maintain an appropriate method of customer identity authentication.
These are all very similar actions to the controls examiners are advised to look for in this update to the IT handbook from the FFIEC. It is imperative that your institutions board and management are aware of the increasing regulatory focus on data and cyber security occurring in the financial services industry.
Craig Nazzaro is of counsel in Baker Donelson’s Atlanta, office where he advises lenders and servicers on all regulatory and compliance issues that impact the consumer lending industry, and defends them against charges of liability and any regulatory violations. He may be reached at firstname.lastname@example.org.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.