The Treasury Department’s Cybersecurity Checklist

Boiling down what really matters concerning cybersecurity is a tough but worthy exercise. During recent remarks, Deputy Treasury Secretary Sarah Bloom Raskin offered a checklist of what the Treasury Department thinks are the essential elements of cybersecurity. Here we examine how your bank can answer her challenge.

MAKE CYBER RISK PART OF YOUR BANK’S CURRENT RISK MANAGEMENT FRAMEWORK

  • Tailor your framework to the size and business operations of your bank
  • Identify the cyber threats presented by your particular activities and operations and match those threats to the appropriate technology solutions.
  • Adopt policies, procedures and other controls to address identified cyber threats that their technology solutions cannot control and to reasonably anticipate possible breakdowns and overrides of that technology.
  • Employ highly qualified people to monitor and continually reassess the effectiveness of the deployed technology and controls, including those technologies or controls that are not directly operated by the institution.

USE THE NIST CYBERSECURITY FRAMEWORK

  • Identify your bank’s cyber posture and determine its risk profile and tolerance.
  • Develop organizational communication plans for responding to attacks.
  • Establish a common language and set of practices, standards and guidelines.
  • Apply your established risk-management approaches when the risks and associated controls are cyber-related.
  • Evaluate vendors and other third parties with access to your networks, systems and data.

UNDERSTAND THE SECURITY SAFEGUARDS THAT YOUR THIRD PARTIES HAVE IN PLACE

  • Know all vendors and third parties with access to your systems and data.
  • Ensure that those third parties have appropriate protections to safeguard your systems and data.
  • Conduct ongoing monitoring to ensure adherence to protections.
  • Document protections and related obligations in your contracts.

EVALUATE YOUR NEED FOR CYBER RISK INSURANCE

  • Know what it covers and excludes.
  • Know if it is adequate based on your risk exposure.
  • Leverage the qualification process to help assess your bank’s risk level.

ENGAGE IN BASIC CYBER HYGIENE

  • Know all the devices connected to your networks.
  • Reduce that number to only those who need those privileges.
  • Know who has administrative permissions to change, bypass and override system configurations.
  • Patch software on a timely basis.
  • Conduct continuous, automated vulnerability assessments.

SHARE INCIDENT DATA WITH INDUSTRY GROUPS

  • Join the Financial Services Information Sharing and Analysis Center.

HAVE AN INCIDENT PLAYBOOK AND A POINT PERSON FOR RESPONSE AND RECOVERY

  • Have a detailed, documented plan that designates who is responsible for leading the response-and-recovery efforts.
  • Chose a lead with exceptional organizational and communication skills because he or she will quarterback internal and external interactions.

DESIGNATE SENIOR LEADER AND THE BOARD ROLES DURING A CYBER INCIDENT RESPONSE

  • Designate when and which matters get escalated to the CEO.
  • Designate whether the full board or a committee—like risk or audit—is initially tasked to oversee the response from a governance perspective.
  • Participate in cyber exercises that simulate
    a cyber intrusion. Include the CEO, directors and other key players.

KNOW WHEN AND HOW TO ENGAGE WITH LAW ENFORCEMENT AFTER A BREACH

  • Have in your playbook when you should reach out to law enforcement.
  • Cultivate relationships with local U.S. Secret Service and FBI field offices.

KNOW WHEN AND HOW YOU WILL INFORM EVERYONE OF AN EVENT

  • Be transparent.
  • Avoid technical jargon and legalese and provide clear and consistent information.
  • Draft messages for various scenarios.