The Federal Financial Institutions Examination Council says that financial institutions should focus their cybersecurity measures on managing inherent risk factors and engage executive leadership in evaluating an institution’s preparedness.
FFIEC said in a report published Monday that it conducted a cybersecurity assessment of 500 financial institutions earlier this year and found that inherent risk varies based on operational factors such as connection type, technologies, and product and service offerings.
Institutions should consider these factors and determine if their existing connections, offerings and technologies add to the inherent risk and if they can manage these factors amid the changing threat landscape, the council said.
It also added that risk management and oversight, collaboration on threat intelligence, cybersecurity controls, limited external dependence, and incident management and resilience are important practices to adopt to bolster preparedness.
FFIEC noted that the board of directors and senior management should be involved in discussing an institution’s capabilities and vulnerabilities and deciding on areas that need further work.