Pub. 6 2016 Issue 2

their environment and review the Federal Financial Institution Examination Coun- cil’s (FFIEC) cybersecurity assessment tool, newly released this July, to see how they stand. According to the National Institute of Standards and Technology, cybersecurity is defined as “the process of protecting information by preventing, detecting, and responding to attacks.” According to the FFIEC, which seeks to increase aware- ness of these risks for banks and their third-party service providers, the man- agement of internal and external threats and vulnerabilities are the two issues that institutions should look at as they seek to protect information and the supporting infrastructures from technology-based attacks. With the release of the FFIEC cy- bersecurity assessment tool, all banks now face expanded IT security and controls scrutiny by regulators and auditors. According to the FFIEC, some key examination areas include layered antimalware strategies, such as anomaly detection, system behavior monitor- ing, and employee security awareness training. Management of third-party service providers is also high on the list for increased scrutiny. One of the best ways to combat the risk associated with cybersecurity is to have and follow a plan that includes proper monitoring, risk assessment, resource allocation, and dili- gence. A good starting point is to instill a heightened awareness in all employees that the threat by fraudsters is very real and constant. The FFIEC tool consists of two parts: your inherent risk profile and your cybersecurity maturity. The inherent risk profile section identifies the institu- tion’s inherent risk before controls are implemented. The cybersecurity maturity section includes domains, assessment factors, components, and individual de- clarative statements across five maturity domains to identify the specific controls and practices in place. Note that while this assessment helps management de- termine the institution’s maturity level in each domain, it isn’t designed to identify an overall cybersecurity maturity level. To complete the assessment, man- agement first assesses the institution’s inherent risk profile based on five catego- ries: • Technologies and connection types • Delivery channels • Online or mobile products and tech- nology services • Organizational characteristics • External threats Management then evaluates the insti- tution’s cybersecurity maturity level in each of five domains: • Cyber-risk management and oversight • Threat intelligence and collaboration • Cybersecurity controls • External dependency management • Cyber incident management and resilience STEP FORWARD WITH CONFIDENCE Though establishing a cybersecurity program and keeping it up to date on current threats may seem overwhelming, there are tools, resources, and cyberse- curity consultants that can guide you along the way. It’s an ongoing and some- times challenging process, but, in the end, it’ll pay off in peace of mind—both for you and your customers. w Bonnie Dallum is a director with the IT Auditing & Consulting Practice at Moss Adams. She has more than 20 years of experience performing IT auditing, IT compliance, and business intelligence and analytics engagements. She can be reached at (415) 677-8303 or bonnie.dallum@mossadams.com. HOW SHOULD SMALLER BANKS MAKE DECISIONS ABOUT SAFEGUARDING THEIR CUSTOMERS’ SENSITIVE INFORMATION WITH LIMITED RESOURCES? 19 ISSUE 2 . 2016