FFIEC Cyber Exams: Lessons LearnedBooz Allen Expert Says Understanding Threats Is Key
What's the main lesson community banks are learning from the Federal Financial Institutions Examination Council cybersecurity pilot exams? That regulators want them to prove they understand emerging threats, says Booz Allen's Jeff Lunglhofer.
And as the FFIEC wraps up its community bank pilot program for enhanced cybersecurity assessments, banking institutions should be bracing for a more stringent assessment process to come, says Lunglhofer, a principal within Booz Allen Hamilton's financial services cyber security practice.
Over the last two months, banking regulators have pinpointed the security weaknesses at smaller institutions through its assessment pilot project.
And based on the feedback Lunglhofer has gathered from banking institutions that were selected for the pilot exams, the primary pain point for community banks and credit unions is that they don't fully understand the specific threats they face.
The regulators' assessments demonstrate "we are seeing an increased push around 'show me, don't just tell me' that you understand the threats," Lunglhofer says during this interview with Information Security Media Group. "You have to demonstrate that ... your threat-mitigation strategies are documented and applicable to your organization. Regulators don't just want to know that you have a program in place."
Unlike larger institutions, which for years have been targeted by cyberattacks waged for fraud and the theft of intellectual property, smaller institutions, up until recently, have been fairly immune.
But hackers will increasingly target community institutions because they typically have weaker defenses than larger organizations, Lunglhofer says.
"As a hacktivist group launching a distributed-denial-of-service attack, you are not going to get anywhere with the top tier banks," he says, because most larger institutions know how to defend against those types of attacks.
During the pilot cyber exams, banking regulators have asked that community banks and credit unions prove they understand the threats they're facing and show that they are well-equipped to defend their networks against increasingly sophisticated adversaries, Lunglhofer says.
The Role of Information Sharing
Information sharing plays an important role in understanding threats. That's why during the cyber-exam and risk assessment process, regulators have wanted to know that community banks and credit unions are actively involved in information sharing that keeps them abreast of emerging attacks, Lunglhofer says.
"We're going to see some increased pushes [from regulators] around information sharing, and I think we may see some guidance around that," he says. "But I think we might see some guidance around increased efficiency, too, such as information sharing with different departments within the institutions themselves."
During this interview, Lunglhofer also discusses:
- Fundamental security best practices that all banking institutions should embrace;
- How FFIEC examinations are becoming more tailored to ensure banks no longer get by with a check-box approach to security; and
- Why inter-department information sharing could be more significant than industry information sharing.
Lunglhofer leads Booz Allen's Cyber Financial Services practice, offering security diagnostic, design and remediation services to top financial institutions. He supports a wide range of customers focusing on the identification and remediation of technical and strategic security risks. At Booz Allen, Lunglhofer recently led a cybersecurity diagnostic program covering eight major cyberdisciplines, ranging from threat intelligence and APT detection to security monitoring and response for six of the top 10 U.S. financial institutions.