I. INTRODUCTION
The Federal Financial Institutions Examination Council (FFIEC), has recommended that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). Rapidly evolving cybersecurity risk reinforces the need for all institutions and their critical technology service providers to have appropriate methods for monitoring, sharing, and responding to threat and vulnerability information. This information is critical to safeguarding customer and other sensitive information and information technology systems. Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.
II. RISK
Financial institutions face a variety of risks from cyber attacks including operational risks, fraud losses, liquidity, and capital risks. A financial institution’s lack of information regarding cybersecurity threats poses undue risk to itself and other financial institutions.
III. RISK MITIGATION
Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly. Financial institution management also should establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization. Financial institutions and their critical technology service providers can use the FS-ISAC and the other resources listed in this statement to monitor cyber threats and vulnerabilities and to enhance their risk management and internal controls. Financial institutions can also use the FS-ISAC to share information with other financial institutions. Financial institutions with less than $1 billion in assets may also subscribe to free limited critical notifications. The FS-ISAC Web site can be found at www.fsisac.com.
IV. ADDITIONAL RESOURCES
There are also a number of additional government resources to assist financial institutions with identifying and responding to cyber attacks, including: