Blog

FDIC & OCC issue Cyber Threat Warning to Financial Institutions

FDIC & OCC cite their top six controls for risk management. Does your firm have these in place?

The Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) issued an interagency cyber threat warning, citing a “heightened risk” to financial institutions amid increased geopolitical tension. Financial firms should re-evaluate the adequacy of safeguards to protect against a cyber security risk and focus on risk management principles that can reduce the chance of a cyber-attack as well as minimize business disruptions.

No matter how sophisticated the security solution, it is unreasonable to expect it to reduce the risk of a cyber threat to zero. However, security solutions combined with proper cyber hygiene can greatly limit exposure. Additionally, firms must also focus on risk management controls including detection and response. It is not enough to just have an incident response plan, firms should perform full incident response simulation training and crisis management. This immersive simulation training will identify cracks in your cyber preparedness.

The FDIC & OCC joint statement stressed the importance of the following key controls for Risk Management.

  1. Response, resilience and recovery capabilities by (i) maintaining comprehensive resilience plans in order to respond and recover successfully from destructive cyber-attacks and (ii) establishing comprehensive system and data backup strategies;
  2. Identity and access management to prevent phishing attacks that could compromise login credentials;
  3. Network configuration and system hardening that (i) only provides access to approved ports, protocols and other services and (ii) are continually monitored;
  4. Employee training on recognizing cyber threats, phishing and suspicious links, in addition to measuring the success of the training programs;
  5. Security tools and monitoring procedures, such as (i) hiring qualified cyber security staff, (ii) reviewing system and network audit logs and (iii) implementing a sufficient internal and external testing programs to assess the firm’s ability to detect cyber threats; and
  6. Data protection systems to implement (i) a data classification program and (ii) encryption and tokenization of confidential data.

 

Thrive has the resources to ensure that your firm adheres to the FIDC & OCC guidelines. Secure your sensitive data by contacting Thrive’s expert team of cyber security engineers today.