Cyber criminals will never stop trying, so community banks need to ensure that their cybersecurity practices are up to date. But who in the bank is responsible for this task? The Cyber Security Toolkit offers clarity.
ICBA and other organizations partnered with the Carnegie Endowment for International Peace to update the Cyber Resilience and Financial Organizations: A Capacity-building Tool Box, resulting in the comprehensive Cyber Security Toolkit.
“[The toolkit] offers guides to help in various aspects of the cybersecurity program, ranging from leadership to workforce development and everything in between,” says Lance Noggle, ICBA’s senior vice president, operations and senior regulatory counsel.
“It’s not designed to help you redo your entire cybersecurity program,” he adds. “It can help you manage the program that you have in place, analyze what you’re doing and maybe spot some holes that you think that might be there.”
The toolkit includes advice especially pertinent to small- and mid-sized banks, or banks looking to improve their cyber hygiene in general.
“No matter how robust the program is, you need to have some sort of way to review and process and implement ways to keep your system up to date,” Noggle says.
Different roles, different responsibilities
The responsibilities for protecting a bank and its customers from cyber threats will differ among board members, CEOs and CISOs. The toolkit offers different checklists and guides for each of these groups.
Board members: This group takes top responsibility when it comes to cybersecurity preparedness and response. To keep board members abreast of best new practices, the guide offers guidance on:
Fundamentals of cyber risk governance: A series of questions to ensure your bank is meeting cybersecurity requirements and is prepared in case of a breach
Oversight: Information on what cybersecurity aspects fall under the responsibility of the board
Staying informed: Advice on how to keep current on cyber risk
Setting the tone: How to create a culture where your staff members know how to best protect the bank
CEOs: As organizational leaders, this group helps set rules and provides leadership for the rest of the bank. The toolkit details protocol for the following topics:
Governance
Risk assessment and management
Organizational culture
CISOs: As staff members who handle technology and cybersecurity day to day, this group has a number of tasks they’re responsible for, including:
Preventing malware damage
Training employees
Developing a risk-based information security system
Protecting data
Keeping devices safe
Using passwords
Controlling permissions
Securing wifi networks and devices
Avoiding phishing attacks
The toolkit also includes checklists on how CISOs can best protect their bank’s customers as well as its third-party connections.
Further protection
In addition to the position-specific checklists, the toolkit includes three one-page guides.
Incident Response Guide: Having a guide in case of a cyber breach is vital for any financial institution. Learn about best practices when responding to an incident with the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover.
Ransomware: Prevention and Protection: Cyber criminals have continuously created new ways to use ransomware and malware, including phishing, false websites and corrupted downloads. This guide covers planning, helpful technology and information on regulations.
Workforce Development: As many banks can attest to, it can be difficult to attract and retain top cyber talent. By following the advice in this worksheet, banks can learn how to improve recruitment and talent cultivation practices.
Peace of mind
By utilizing the toolkit, community banks can keep up with current cybersecurity practices and protect both its customers and the bank itself.
Even though your regulators come and check and examine the financial institution, you’re always worried that there’s something you’re not doing,” Noggle says. “And I think that’s what’s good about a checklist. You can match it up to what you’re doing, and it can give you some peace of mind that you’re not missing some major requirements.”
Scanning for vulnerabilities
To strengthen your community bank’s cybersecurity practices even further, Lance Noggle, ICBA’s senior vice president, operations and senior regulatory counsel, recommends Cybersecurity and Infrastructure Security Agency’s (CISA) Vulnerability Scanning.
“It’ll scan your system on a weekly basis for vulnerabilities,” he says, “so it’s really good for smaller institutions that might not do testing as much as a large institution.”
The program is free and will identify all parts of your organization’s technology that need to be scanned, search for vulnerabilities and make recommendations to improve cybersecurity.
For more information, go to cisa.gov