Cybersecurity advice for financial institution leaders
CISA’s “Shields Up” program also offers advice for corporate leadership, and much of that advice applies to financial institution governance. Executive leaders of banks and credit unions should:
Empower the Chief Information Security Officer (CISO)
Financial institutions should ensure their CISO or equivalent leadership has the resources necessary to prepare for increased cyber resilience. Executive leaders should include the CISO in decision-making processes and adjust budgets so that the CISO has adequate funding for the institution’s security investments.
Adjust reporting thresholds
Incident detection systems should be tuned periodically to ensure a balance between potential false positives and under-reporting of external risk events. Some cyber events that may have previously been considered “low risk” may now be cause for actionable escalation. Thresholds should be lowered so that an institution’s cyber response team has increased visibility during this period of heightened threat.
Plan for the worst
Consider the immediate actions that may be necessary if a core banking platform or other business-critical system were impacted. Institutions should work with their security and IT teams to determine where the “kill switch” would be for any given critical system. This often means determining how a financial institution’s infrastructure systems would be powered down or disconnected to prevent continued intrusion or spread of malicious software.
Exercise continuity plans
Know your plan of action should a system experience downtime due to a DDoS attack. Leadership should ensure business units within the financial institution practice tabletop exercises related to business continuity in case critical systems become unavailable. These exercises evaluate whether key personnel across the institution understand their role in responding to an incident. Execute on gaps identified from these scenarios to strengthen your recovery of operations if faced with an adverse event.
Test cyber response plans
In addition to business continuity exercises, incident response exercises should also be performed. Financial institutions should leverage security incident response tabletop exercises, such as those included as part of the CISA Tabletop Exercise Package, to formalize discussions around various types of threat. Both technical personnel and senior leadership should perform separate tabletop exercises, as the scenarios, steps, and outcomes differ depending on the audience. Results from incident response exercises help institutions assess the adequacy of their response and identify potential gaps.
(Megan Castranio, Abrigo Internal IT Controls Lead, Edward Callis, Abrigo Senior Director, IT Risk & Assurance, and Tiffany Dai, Abrigo’s Internal IT Auditor, contributed to this article.)