Cyber Resilience - New Focus in OCC Operating Plan for 2016

The OCC included “Cybersecurity and Resilience Planning” as a focus for 2016 in the release of their most recent Operating Plan. They went on to more specifically state that they would be, “reviewing banks’ programs for assessing the evolving cyber threat environment and banks’ cyber resilience”, and confirmed that they would, in fact, use the FFIEC Cybersecurity Assessment Tool (CAT) to do just that.

So what does that mean for banks from a compliance perspective?

For starters, it means that you need to understand what the term “cyber resilience” actually means. Where cybersecurity focuses on preventing attacks from succeeding or happening altogether, cyber resilience assumes that attacks will succeed.

Let me repeat that: cyber resilience assumes that cyber attacks will be successful on your network.

Cyber resilience is defined as the ability for a system to withstand and recover from a cyber attack. It is the next evolution in information security, and it is born from the idea that virtually all cybersecurity controls put in place can be circumvented.

Pretty scary, right? Well, that’s why taking this approach is so important in today’s environment. Cyber resilience moves us from a mindset of naïve security (thinking it can’t happen to us) to a state of preparedness for the worse.

How do we get to cyber resilience?

Fortunately, banks have been asked to implement the various parts of cyber resilience under the name of information security for years now and with a little work on a few areas, a strong cyber resilience program is not out of reach.

Cyber resilience still includes defense and protection of systems and the network, but goes beyond that to emphasize the following areas:

• Business Focus – Perform or update your Business Impact Analysis (BIA) to determine what systems are most important to your bank.
• Detection – Log monitoring, user exceptions reports, anti-virus detections, intrusion prevention hits, etc. – Make sure these are being reviewed regularly and abnormalities are getting follow-up.
• Response – Update your Incident Response Plan to include the cyber attacks that could have the biggest impact on your organization. Be sure to test the plan at least annually.
• Recover – Tie your Incident Response Plan back to your Business Continuity Plan (BCP). Include cyber attack scenarios in your BCP to plan the recovery process for your bank. Make sure you prioritize by the results of your Business Impact Analysis. The BCP should also be tested at least annually.

What’s the CAT got to do with it?

While the FFIEC called it the Cybersecurity Assessment Tool, they very well could have called it the Cyber Resilience Assessment Tool, because it places a ton of focus on detection, response, and recovery (not to mention the protection aspect).

That being said, it is a pretty good tool for determining an appropriate target cyber maturity level, assessing what your current cyber maturity level is, and creating an action plan to bridge the gap.   It’s no wonder the OCC wants to use it as a starting point for reviewing banks’ cyber resilience.

So if your bank hasn’t completed the CAT* already, you need to get started. Now.

From a security perspective, do it to see where your bank stands on cyber resilience. From a compliance perspective, do it because examiners will ask for it. Whatever your reason, make sure your bank takes time to focus on the CAT and cyber resilience.

* For more information on completing the Cybersecurity Assessment Tool, and to download of my free tool to help automate the analysis and reporting, go to our Cybersecurity Assessment Tool page