The Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) recently released a joint statement on heightened cybersecurity risks. While many financial institutions are addressing the identified threats, there may be recommendations in the guidance that are new to your institution or evolving as cybersecurity threats change. Following are items that regulators are looking for financial institutions to address.

Response, Resilience, & Recovery Capabilities

• Examiners have been asking financial institutions to possess detailed incident response and business resilience plans that address common cyberattacks
  • Plans should identify the types of attacks management considers most likely to cause significant damage and detail the institution’s response to each attack type; examiners have commented that generic plans are no longer sufficient
  • Plans should be tested (similar to the business continuity planning tabletop testing your institution is likely already doing); if you need assistance with testing, the FDIC has provided suggested exercises here
  • Plans need to be coordinated with disaster recovery or business continuity plans; these plans should address recovering from cyberattacks

Identity & Access Management

• Remote access to internal networks with user accounts that have elevated or administrator-level privileges should use multifactor authentication
• Remote network access should be monitored via security tools

Network Configuration & System Hardening

• Regular vulnerability scans of internal networks should be performed; most institutions have patch management programs in place; however, only recently have community banks been regularly scanning their networks for vulnerabilities; while patches remediate many vulnerabilities, there are additional risks that must be addressed through other methods
• Network components (other than servers and computers) should receive regular patches for high-risk vulnerabilities; these include routers, switches, printers, phone systems, cameras, ATMs, and other networked devices

Employee Training

• Employees should be trained on social engineering threats and institutions should regularly test the effectiveness of their trainings; many financial institutions are using third-party platforms that incorporate phishing and other testing into their training platform

Security Tools & Monitoring

• Regular monitoring of threat activity on internal networks should be performed – many financial institutions are deploying log management and alerting systems on their networks

For more information on the joint regulatory statement, click here. In addition, you may contact KPM Manager Richard Dugas with any questions you have on the guidance or would like to learn more about KPM’s information technology audit and consulting services that address these recommendations.