skip to navigation
skip to content

Financial Outsourcing Solutions

Online Banking

FOS Blog

10 Dec

FFIEC releases findings of Cybersecurity assessment

FFIEC releases findings of Cybersecurity assessment

In this day and age it seems like there is a constant stream of cyber threats to financial institutions. In order to address this constant evolution, financial institutions have adopted various methods to mitigate these security risks with varying levels of success. Things like finding the right partners, buying the right computer solutions, or maintaining the appropriately trained staff members have become major thorns in the side of institution struggling to keep their head above water. If that wasn’t bad enough, there has been considerable push back from members of senior management or the Board who think that they are too small of a target for hackers and delay spending on cybersecurity measures. The cybersecurity woes have also been felt by the various regulatory bodies, trying to keep their exam processes up to date while providing relevant guidance in this turbulent environment.

Realizing the growing threat environment was only going to get worse, the regulators took some action. In November, after several months of piloting a cybersecurity program amongst financial institutions, the FFIEC presented the findings of their cybersecurity assessment (Click here to read the entire report). The goal of the program was to assess 500 community financial institutions readiness to address the growing cyber threats. The FFIEC summarized their findings as follows:

  • The board of directors and senior management taking a more active role in understanding their institution’s “cybersecurity inherent risk”
  • Making “cybersecurity issues” a standard agenda item for meetings
  • Seek opportunities to improve ongoing “awareness” to changes in the threat environment
  • “Establishing and maintaining a dynamic control environment”
  • Continued vigilance when managing 3rd party vendors
  • Incorporating cybersecurity in to disaster recovery and incident response plans with appropriate testing

While most of these seem like variations on a theme, the underlining tone is a clear shift in direction from the regulating bodies. We recently have had conversations with a few regulators from various agencies, and they are actively training their staff to incorporate more cybersecurity into their review process. Financial Institutions can expect more oversight with regards to cybersecurity in next year’s exams.

In the end, the challenges seem pretty daunting. Financial institutions will need to shift the culture of their organization to be more security focused in order to be successful. This effort by the FFIEC would seem to provide a path to help influence that shift by providing solid guidance to build on and incorporate into the environment.

For additional information contact Jeffrey Johns at