With just one bank failure in 2019 and none in 2018, it’s easy to think that banks and credit unions across the industry are once again in a strong financial position and thus unlikely to fail.
Yet there are more than just financial threats to industry stability. The FDIC is actively considering how it would handle an unprecedented scenario: a bank resolution due to a cyber event.
The agency notes that a cyber event-induced failure would pose different operational, market, and other challenges than past failures, and its toolkit for resolution may not be fully equipped to deal with it, noted FDIC Chairman Jelena McWilliams in a recent speech.
The FDIC is assessing this risk and the potential challenges of a cyber-induced failure including:
- The potential abruptness of a disruption, and resulting compression of ordinary recovery and resolution planning timelines;
- Uncertainties regarding the severity of impact, and prospects and timing for restoration of systems or data after a cyber incident; and
- The reliability and accessibility of information that the agency ordinarily relies on to conduct a resolution.
“Work in this area is critical and ongoing,” she says.
Testing Cyber Attack Responses
As the FDIC and other agencies tackle the ramifications of cyber attacks, they are also offering financial institutions plenty of opportunities to test the strength of their current cybersecurity controls and response plans.
The FDIC Cyber Challenge recently added two new scenarios to its collection of scenarios and questions to assist banks in discussing operational risk and the potential impact of IT disruptions.
Cyber-Attack Against Payment Systems (CAPS) Exercises
The Financial Services Information Sharing and Analysis Center (FS-ISAC) is offering three free Cyber-Attack Against Payment Systems (CAPS) tabletop, simulated exercises this Fall to allow financial institutions to assess its systems and response plans.
Held September 24-25, October 1-2, and October 8-9 this exercise takes about two hours a day and allows an FI to see how it would be impacted by an attack on payment systems and processes.
“Participants practice mobilizing quickly, working under pressure, critically appraising information as it becomes available, and connecting the cyber-dots to defend against an attack,” FS-ISAC says.
The Federal Reserve Bank of St. Louis has released Cyber Talk, a six-part video series, and a one-page Cyber Talk Guide for bank executives and board members to facilitate discussions on cybersecurity.
These videos, averaging around five minutes each, address key issues such as:
- Understanding the use of a cybersecurity framework
- The fundamentals of controls
- Identifying gaps
- Filling gaps
- Answering the cybersecurity posture question
Executive Leadership of Cybersecurity (ELOC) Resource Guide
The Conference of State Bank Supervisors (CSBS) has updated its Executive Leadership of Cybersecurity (ELOC) Resource Guide, also known as Cybersecurity 101. This non-technical reference guide is designed to help financial institution executives create comprehensive, responsive cybersecurity programs that align with best practices. Its goal is to help identify people, processes, tools, and technologies that can be leveraged to reduce cybersecurity risk.
Don’t make history by becoming the first bank or credit union to fail due to a cyber incident.
Follow the recent advice of the FFIEC and make sure your institution adopts a standardized approach to assessing cybersecurity preparedness with the ability to track progress over time, and share information and best practices with other financial institutions and with regulators.