Federal Financial Services Cybersecurity Considerations
Federally, financial services companies are watched by both the Federal Financial Institutions Examination Council (FFIEC) and Office of the Comptroller of the Currency (OCC).
The FFIEC includes five banking regulators—the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).
The FFIEC is empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions. It also oversees real estate appraisal.
Cybersecurity is extremely important to the FFIEC and has backing from the top ranks. On June 30, 2015, the FFIEC created a Cybersecurity Assessment Tool (CAT). The OCC simultaneously announced that examiners will gradually incorporate the CAT into examinations of national banks, federal savings associations, and federal branches and agencies (collectively, banks) of all sizes. It’s now several years later and the OCC has fully integrated the CAT into their regular audits of affected financial institutions.
The FFIEC breaks down cybersecurity into 5 domains that overlaps significantly with the NIST Cybersecurity Framework, which is the framework PIRC uses when performing cybersecurity maturity assessments.
The five cybersecurity domains for financial institutions are:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
Within each domain, financial services companies will fall somewhere within the granular scale below, which is, again, derived from NIST, particularly NIST’s PRISMA security maturity scale.
|FFIEC Cybersecurity Maturity Levels||NIST PRISMA Cybersecurity Maturity Levels|
|Baseline||IT Security Maturity Level 1: Policies|
|Evolving||IT Security Maturity Level 2: Procedures|
|Intermediate||IT Security Maturity Level 3: Implementation|
|Advanced||IT Security Maturity Level 4: Test|
|Innovative||IT Security Maturity Level 5: Integration|
Since OCC audits align quite closely with NIST-based cybersecurity standards, PIRC is in the position to help your company move up in the maturity cybersecurity maturity scale and satisfy auditors with a comprehensive security program.
State-Level Financial Services Cybersecurity Considerations
Different states have different banking and financial services laws. It is the responsibility of every financial institution to maintain compliance with state-level regulations around cybersecurity and data protection.
On May 7, 2018, New Jersey Attorney General Gurbir Grewal announced the creation of a new unit within his office known as the Data Privacy and Cybersecurity (DPC) Section. According to the announcement,
“Attorneys assigned to the DPC Section will collaborate with State Police, the Division of Consumer Affairs and other state agencies in managing investigations and bringing related civil litigation when New Jersey residents are victimized by data breaches and the unauthorized collection, use and dissemination of their personal information.”
Because of legislation passed by Superintendent Maria Vullo of the NYS Department of Financial Services (DFS), banks and financial services companies licensed to do business in New York have to comply with the state-level regulation 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies.
At the heart of the NY regulation is an upfront risk assessment, the requirement for over 15 written cybersecurity policies, and the requirement to notify the DFS within 72 hours of a suspected or known cybersecurity breach.
Larger banks and financial services companies must also implement multi-factor authentication, maintain a Chief Information Security Officer and contract an objective third-party security firm to perform annual penetration testing and bi-annual vulnerability assessments.
PIRC has extensive experience helping companies with these security requirements and our CISO-as-a-Service (fractional CISO role) is about 1/10th of the cost of a full-time CISO. Cybersecurity compliance doesn’t have to be scary. We know the regs and what the auditors are looking for, so we can help you reduce your cybersecurity risk and be in good standing before the folks with clipboards enter your building.