On November 3, 2014, the Federal Financial Institutions Examination Council (“FFIEC”), on behalf of its members, released a report entitled FFIEC Cybersecurity Assessment General Observations (the “Report”) that contains observations from recent cybersecurity assessments conducted at over 500 community financial institutions as part of the FFIEC cybersecurity examination work program. The Report summarizes themes from the assessments and provides suggested questions for chief executive officers and boards of directors to ask when assessing their institutions’ cybersecurity preparedness. In light of the assessments, the FFIEC announced that its members will review and update current FFIEC cybersecurity guidance.
Based on the assessments, the FFIEC observed that the level of cybersecurity inherent risk varies significantly across financial institutions, in part due to the various types of network connections, products and services, and technologies used by financial institutions. The Report also contains observations on the overall cybersecurity preparedness of financial institutions, including findings on the current risk management, governance, threat intelligence, cybersecurity controls, incident response, and third party management practices of financial institutions.
Additionally, the FFIEC emphasized the importance of information sharing, noting that “[p]articipating in information sharing forums (e.g., Financial Services Information Sharing and Analysis Center) is an important element of a financial institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.” The FFIEC also recommended in a separate statement that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities.