In July of this year, we reported on the Cybersecurity Assessment Tool published by the Federal Financial Institutions Examination Council. The FFIEC is an interagency organization that establishes the examination standards for financial institutions, including banks, federal savings associations, state savings associations, state member banks, state nonmember banks and credit unions. As you may recall, the Cybersecurity Assessment Tool is a voluntary tool designed to assist all financial institutions in conducting a self-assessment of cyber risks and to inform their risk management strategies.
This month, the FFIEC published an updated “Management” booklet to its Information Technology Examination Handbook (“IT Handbook”). The IT Handbook consists of eleven booklets (including the Management booklet) that provide guidance to financial institution examiners. The Management booklet outlines the overall principles of information technology governance, including a discussion of how IT risk management is a component of overall risk management. The booklet provides a road map of what regulatory examiners will be looking for and inquiring about during an examination.
The Management booklet is divided into three sections covering (1) IT Governance, (2) Risk Management, and (3) IT Risk Management. Not surprisingly, the section on IT Risk Management references the Cybersecurity Assessment Tool. Although the booklet indicates that use of the tool is optional, it is apparent that the tool is invaluable for risk identification and risk measurement.
This latest Management booklet replaces the 2004 edition. A notable difference is the introduction of the role of the Chief Information Security Officer. The CISO is not referenced in the 2004 edition. Only the roles of Chief Information Officer and Chief Technology Officer are discussed. The CISO represents the evolution of the way information security is viewed. Past thinking placed security in the hands of the IT department. The new edition of the Management booklet recognizes that information security should be an independent function that reports directly to the Board of Directors, and not to IT management. According to the Management Booklet, the CISO, “is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of oversight and reporting.” The booklet further guides that, “[t]o ensure independence, the CISO should report directly to the board, a board committee, or senior management and not IT operations management.” The CISO’s independence from IT management is important because the goals of IT to provide reliable and fast computer operations may conflict with the need to secure an organization’s systems and information. Recognizing that not all financial institutions will have the resources for a dedicated CISO position, the Management booklet nevertheless recommends that the institution have an information security officer reporting to senior management that performs the functions of a CISO.
Information security is no longer considered simply a technology function, but instead an integral part of enterprise-wide risk management. All organizations that collect and store sensitive data as part of their core business – not just financial institutions – should assess their own need for a dedicated C-level executive who is responsible for overseeing and reporting to the board on the management and mitigation of information security risks across the organization.