This interactive seminar is designed to provide education on emerging cybersecurity threats and inform you of best practices to prevent, detect and respond to these threats. The seminar will set you up with the tools and knowledge needed to assist your institution in creating and maintaining a comprehensive information security program to protect your institution’s critical infrastructure. You will also learn about the components your institution should have in place for an information security program to pass regulatory scrutiny.
FFIEC Guidance and GLBA Overview
Banking guidance continues to evolve as our cybersecurity challenges increase. Sometimes it seems that cybersecurity challenges are growing faster than we are evolving. We will review GLBA requirements and highlight some of the newest regulatory requirements from the FFIEC, including the updated CAT. These will establish the foundation of what must be incorporated in our Information Security Programs. We will discuss the FFIEC Information Security Booklet and its 21 security controls; the FFIEC Management Booklet and the roles and responsibilities it outlines for IT Operations vs. Information Security, as well as Senior Management and the Board; and the FFIEC Mobile Financial Services Guidance, which is included in the Retail Payments booklet.
Cybercrime Trends
Cybercriminals are always searching for innovative ways to steal our data and our money. Sometimes existing techniques are improved, as we have seen with sextortion phishing scams, and sometimes there are new attack vectors that are surface, as with ATM Jackpotting and Unlimited Operations. We will explore the following areas to expose the complex and organized nature of cybercrime:
• Phishing Attacks • System Vulnerabilities
• Business Email Compromise (BEC) • Ransomware
• ATM Fraud
Top 10 Missing CAT Baseline Controls
The Federal Financial Institutions Examination Council (FFIEC) updated the Cybersecurity Assessment Tool (CAT) in June of 2017, and the CAT continues to be an active part of regulatory exams. Within the CAT, the Baseline controls are a level of security that every financial institution needs to maintain or achieve. We will review the most commonly missed Baseline controls, and how institutions might address those gaps.
FDIC InTREx Overview
FDIC’s InTREx (Information Technology Risk Examination) was published in 2016 and is being used by the FDIC, Federal Reserve, and most State banking regulatory departments as an IT exam framework. We will review how InTREx is structured, common challenges, and how to prepare for your next examination by reviewing InTREx. There is a common set of documentation referenced within InTREx, and we will extract those items and review the other controls towards which InTREx guides institutions. We will also compare the FFIEC CAT process against InTREx.
Information Security Programs
All banks are required to have a written, comprehensive Information Security Program that starts with a risk assessment. This section will overview the primary components of an Information Security Program to ensure your organization has a solid foundation on which to build its information security governance. With a risk-based Information Security Program, there are three major elements: Risk Assessment, Documentation, and Audit. We will explore these three areas, as well as how the risk assessment process drives the creation of documented policies, procedures, and plans that the institution can then implement.
Cybersecurity Culture and Training Programs
The human element of information security is an increasing target for cybercriminals and generally considered the weakest area in information security. Security awareness and training on proper protocols is an essential element of good security and regulatory compliance. We will discuss many methods of constructing an adequate security awareness and training program for both employees of your bank and customers of your online products and services. Awareness to cybersecurity issues, training on what is expected, and clear accountability for employees and management responsible for protecting customer information. These elements can help establish a lasting culture that includes a passion for protecting customer information and a desire to be successful against cybercrime.