1. How fast can my organization come back from a cyber attack?
Response, resilience, recovery
The agencies recommend that FS institutions maintain business resilience plans that address response to and recovery from a destructive cyberattack, have relationships with law enforcement and forensic experts, test their resilience periodically, and consider insuring themselves against the costs of an attack.
A “comprehensive system and data backup strategy” is key, the agencies suggest, including routine, periodic backups; secure off-site storage; periodic tests of the ability to reconstruct data; and measurement of practices against industry standards and frameworks such as Sheltered Harbor.
The bulletin comes amid a shift to resilience-based thinking in the financial sector at large.
The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) on Jan. 28 released “Cybersecurity and Resiliency Observations,” guidance for cybersecurity and operational resilience based on thousands of financial sector examinations.
The OCIE report reinforces an ongoing shift among bank regulators, who are expanding the old business continuity planning and disaster recovery (BCP/DR) model to encompass all aspects of resilience (ie. operational and cyber) and effectively setting a new bar for regulated entities.
Regulators already have been issuing resilience-focused Matters Requiring Attention (MRA) supervisory letters directly to financial institutions—even before the Federal Financial Institutions Examination Council (FFIEC) published its new Business Continuity Management guidebook for bank examiners. The updated FFIEC guide emphasizes resilience and timely recovery of critical business functions.
2. How well does my organization keep cyber intruders out?
Network and system configurations
Fine-tuning network and system configurations can do much to stymie a would-be intruder. The FDIC/OCC bulletin admonishes banks to review their settings including default system settings, default user profiles, and security settings, and to make changes where necessary for tighter security. Applying software patches and upgrades as soon as possible is “critical,” the agencies add.
Network configurations should allow only approved ports, protocols, and services, and disable unnecessary ones, the bulletin recommends. It suggests reviewing default user accounts and settings; limiting removable media access; scanning all hardware, network components, firmware, and operating systems to ensure that critical patches have been installed; using and updating anti-malware; configuring email systems to detect and block spoofing, phishing, and other malicious email types; and continuously monitoring networks that connect to third-party service providers.
3. How do I know we’re dealing with legitimate users only?
Identity and access management
Authenticating the identity of internal and external system users and restricting access to systems so that only authorized entities can enter and use systems are important practices for preventing successful phishing attacks and false logins. Leading controls include multi-factor authentication, risk-based authentication, role-based access controls on user privileges and limits according to need, limits on administrator and other privileged-user accounts, and regular access reviews.
The bulletin also highlights the need for employee security-awareness training, security staff and tools including penetration testing and continuous monitoring, and encryption of sensitive and critical data.