Anthem, Target and JPMorgan Chase – guess what they all have in common? Correct: each has fallen victim to major security breaches as the result of cyber attacks. It’s also obvious no one is immune. Every industry conducting business online (a.k.a. every industry) can fall victim at any time.
When it comes to the financial industry, the threat is paramount. To fortify banks and credit unions against cyber-attacks, the Federal Financial Institutions Examination Council (FFIEC) released a new cybersecurity assessment tool this past June 2015. Prior to developing its Assessment Tool, the Council received feedback from community banks across the U.S. that the proposed tool would provide them with the benefit of achieving and maintaining their cybersecurity goals.
According to the Overview for Chief Executive Officers and Boards of Directors PDF, (Cyber Assessment Tool, 2015) “… (the tool is) to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”
Currently, the tool is optional. So, why is there rising concern over a cybersecurity tool deemed useful by more than 500 domestic banks? Financial industry news sources list one of the main criticisms of the tool cite a lack of flexibility that may prohibit a bank or credit union from using organization-specific information to assess the effectiveness and maturity of their cybersecurity protocols, as well as their ability to address any residual risks.
Credit Union Journal reporter, Ian McKendry, writes in his recent article Why Credit Unions Fear Regulators’ New Cybersecurity Tool, (McKendry, 2015) “Credit unions and banks are increasingly concerned that an optional cybersecurity assessment tool released by regulators this summer could soon become mandatory…bankers have begun to fear that institutions that don’t use it could find themselves in regulatory crosshairs.”
If you haven’t had a chance to explore the details of the FFIEC’s Cybersecurity Assessment Tool, you can find more information on the Council’s website.
In your opinion, what are the implications if use of this tool becomes mandatory?