The FDIC and the OCC reminded financial institutions of the importance of implementing sound cybersecurity risk management principles that include both (i) preventative controls and (ii) preparation for worst-case scenarios.

In a joint statement, the banking regulators urged financial institutions to include in their cybersecurity controls:

  • response, resilience and recovery capabilities by (i) maintaining comprehensive and current incident and business resilience plans in order to respond and recover successfully from destructive cyberattacks and (ii) establishing comprehensive system and data backup strategies;
  • identity and access management, in order to prevent phishing attacks that could compromise login credentials, including through the use of multifactor authentication to safeguard critical systems and data;
  • network configuration and system hardening, which provides access only to approved ports, protocols and other services and is continually monitored;
  • employee training in recognizing cyber threats, phishing and suspicious links, in addition to measuring the success of the training programs;
  • security tools and monitoring procedures, such as (i) hiring qualified cybersecurity, (ii) reviewing system and network audit logs and (iii) implementing sufficient internal and external testing programs to assess firms' ability to detect cyber threats; and
  • data protection systems to implement (i) a data classification program and (ii) the encryption and tokenization of confidential data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.