From: FDIC
WASHINGTON, Sept. 22 — The Federal Deposit Insurance Corporation issued the text of the following speech by Chairman Martin J. Gruenberg:
Good morning and thank you for the opportunity to take part in this conference and to speak with you today.
***
Cybersecurity
As important as it is to effectively manage market risk and credit risk, I would be remiss if I did not touch on the growing importance of cybersecurity in the management of operational risks on the part of large and small banks alike.
We all know that the continual adoption of new technologies has long been a vital part of maintaining the competitiveness of financial institutions in a rapidly changing marketplace. Whether a community bank, a regional, or a mega-bank, they are continually making strategic investments in new information technologies that can help serve their customers, manage risks, and improve efficiencies.
But one of the lessons of the last 40 years is that new technologies often bring with them new vulnerabilities. And it is precisely during this critical period of rapid innovation that the need to manage the operational risks associated with new technologies is the most urgent.
While many of today’s technologies are new, the supervisory processes for conducting IT examinations are well established. In partnership with the Federal Financial Institutions Examination Council (FFIEC), the FDIC has developed a framework for conducting IT examinations that covers a broad spectrum of technology, operational, and information security risks.
Our framework consists of published standards, examination procedures, routine on-site inspections, and enforcement capability. The FFIEC publishes a series of Information Technology Examination Handbooks to communicate regulatory expectations for IT and information security.
In an increasingly interconnected banking environment, internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks. The large number and sophistication of cyber attacks directed at financial institutions in recent years requires a shift in thinking. Cybersecurity is no longer just an issue for the IT department. Instead, it needs to be engaged at the very highest levels of corporate management.
As many of you are aware, cybersecurity has become an issue of the highest importance not only at the FDIC, but for the FFIEC and its member agencies as well as the federal government as a whole. In response to this threat, the banking agencies are in the process of implementing a number of work streams.
In June 2013, the FFIEC formed a new Cybersecurity and Critical Infrastructure Working Group. This Working Group serves as a liaison with the intelligence community, law enforcement, and the Department of Homeland Security on issues related to cybersecurity and the protection of critical infrastructure. The primary purpose of the Working Group is to help the banking agencies collaborate in developing examination policy, in training and information sharing, and in coordinating their responses to cybersecurity incidents.
Earlier this year, the Working Group produced a webinar for community bank executives highlighting our efforts to assess cyber threats and evaluate how institutions are managing these risks. The Working Group is also undertaking an assessment of the banking sector’s overall readiness to address a significant cyber threat. This report will include a self-assessment of regulatory practices to ensure that our own guidance and response capabilities are up to date.
In addition, the FDIC has initiated a number of programs this year to assist community banks in their awareness of cyber threats and to provide practical tools to help mitigate these risks.
The FDIC “Cyber Challenge” exercise is a new online resource, including videos and a simulation exercise, designed to help community banks assess their own preparedness to address a cybersecurity incident. Also beginning this year, we have begun requiring third-party technology service providers, or TSPs, to update their client financial institutions on any operational concerns the FDIC identifies at the TSP during an examination.
We’re clarifying our expectations with regard to actions community banks should take when problems are identified at their TSP, and guiding these banks to zero-cost resources that can assist them in assessing their vulnerability to cyber threats.
Clearly, this work will be ongoing. But even as we gear up to meet new emerging threats, we should remember that many of the operational risks they pose are really not all that new. Instead, new technologies are forcing us to think differently about familiar categories of operational risk.
For years, banks have been developing their capabilities in business continuity, typically as it relates to natural disasters and other physical threats. Today, business continuity increasingly means preserving the ability to maintain access to customer data and to consistently ensure the integrity and security of that data. For this reason, we encourage banks to practice responding to cyber threats as part of their regular disaster planning and business continuity exercises.
Conclusion
Leave a Reply