The Federal Deposit Insurance Corporation backs the US banking system, providing assurance to American investors and consumers that their financial institutions are stable, reliable, and secure. In a connected world, digital mechanisms have enabled rapid transactions and banking convenience that eliminates limits of the past. With these changes, people can conduct business from nearly anywhere in the world, check account statuses, deposit checks, move money, and more. While this is tremendously beneficial to consumers, investors, and financial institutions, alike, it also introduces new risks.
Cybersecurity Risks for FDIC Insured Financial Institutions
If consumers can digitally access their accounts, so too can cyber criminals. The FDIC has a direct stake in making sure that FDIC-backed institutions are protecting all aspects of their digital environment, because their stability depends on the stability of member organizations like yours. Therefore, cybersecurity experts have helped the agency create a framework that enables institutions to evaluate their security strategies against clear standards in order to identify gaps and weaknesses that could leave them open to attack. Since attackers are always evolving their tools, tactics, and techniques, your approach to protecting your entire environment will also need to evolve. This is why standards undergo periodic update, and why cybersecurity is an ongoing process of cyclically evaluating, identifying, and mitigating risk.
The FDIC utilizes an examination program called InTREx to support and evaluate the cybersecurity posture of its members across a number of key areas, including:
Storing digital records of your clients’ accounts that they can access via the internet is not only risky because these records enable access to their finances, but also because their personal data is also stored in your systems. The need to protect this information is very straight-forward, and few would argue its importance or question a financial institution’s motivation to ensure this information is secure. Methodology for doing so is where the FDIC wants to look closely. Their willingness to back your financial institution (FI) depends on what measures you take, and how effectively they stand up against audits, evaluations, and security testing.
Even after implementing measures to protect cardholder data, you still need to protect the systems that allow your internal staff to perform daily tasks. Cyber criminals can perform a great many malicious actions with information that can be gathered from your day-to-day operations.
Software can also contain vulnerabilities that attackers may exploit to access systems. Security measures can be taken, however, to ensure that 1) your software stays up to date with the latest patches and 2) you screen software vendors carefully, looking at their own validations of security. This helps you protect yourself from third-party vulnerabilities and supply chain attacks.
Whether you maintain physical servers, servers in a public or private cloud, or a combination of both (hybrid), your endpoints need to be protected from attack. It used to be that a perimeter approach could be taken, utilizing firewalls or other tactics to secure servers. In today’s landscape, it will take far more to keep your endpoints secure. Further, any endpoint in your environment, from desktops, to PCs, to IoT-connected printers or camera systems can be an avenue for attackers.
Business continuity is an essential part of any cybersecurity program for more reasons than the potential for natural disasters or other unforeseen circumstances of inconvenience. Cybersecurity attacks can result in serious or permanent disruptions. A solid disaster recovery plan, however, can help mitigate this risk and enable you to not only recover, but restore systems and maintain operations.
While prevention of a cybersecurity attack is the most important part of a strong security strategy, it is also important to build a solid plan for what you will do in the event of a successful attack. Incident Response planning will include steps from documenting a notification call tree, to who will provide cyber incident response services, dealing with press inquiries, naming outside counsel, and interacting with your cyber insurance provider.
Contact Us Today!
Let us know your business needs and we will make sure to get back with you promptly!