The Federal Financial Institutions Examination Council (FFIEC) has established cybersecurity standards to protect financial institutions from the growing threat of cyberattacks. With third-party security risks quickly becoming one of the most critical attack vectors facilitating data breaches in the financial sector, the FFIEC includes robust third-party risk management requirements in its IT Booklets.
Third-Party Risk Management (TPRM), however, is still a relatively new and complicated discipline of cybersecurity that many federally supervised financial institutions still struggle to master.
To reduce confusion surroundings the FFIEC's third-party risks requirements and their consequential non-compliance fines, this post clearly explains how to comply with all of the Third-Party Risk Management requirements of the FFIEC.
Who Needs to Comply with the FFIEC?
All federally supervised financial institutions need to comply with the FFIEC. Examples of federally supervised financial institutions include:
- Domestic and federal banks
- Credit unions
What are the Penalties for Non-Compliance with the FFIEC?
The FFIEC is an examination board that oversees compliance through the following five financial regulators:
- The Board of Governors of the Federal Reserve (FRB) - Regulates Domestic Banks
- The Federal Deposit Insurance Corporation (FDIC) - Regulates Federal Banks
- The Office of the Comptroller of the Currency (OCC) - Regulates Federal Banks
- The National Credit Union Administration (NCUA) - Regulates credit unions.
- Consumer Financial Protection Bureau (CFPB) - Regulates banks, thrifts, and credit unions.
These regulators perform audits to assess alignment with the FFIEC's cybersecurity standards. Infringement penalties depend on the degree of non-compliance and which regulatory conducts the audit.
Not all instances of non-compliance could result in a fine. Some auditors could respond to an infringement with a cease and desist order, while others could issue fines of up to $2 million.
Whether through long-lasting reputational damage or a fine, the repercussions for not complying with the FFIEC standards are always very costly.
What is the FFIEC IT Examination Handbook?
The FFIEC IT Examination Handbook details its recommended cybersecurity guidelines for financial services across the following 10 booklets:
- Business Continuity.
- Development and Acquisition.
- Information Security.
- Architecture, Infrastructure, and Operations.
- Outsourcing Technology Services.
- Retail Payment Systems.
- Supervision of Technology Service Providers.
- Wholesale Payment Systems.
All of these booklets can be accessed via the complete FFIEC IT Handbook.
Two of these 10 booklets specifically address the FFIEC's third-party risk management standards - Outsourcing Technology Services and Supervision of Technology Service Providers.
4-Stage Compliance Guide for FFIEC’s TPRM Requirements
The guidelines below address all of the primary third-party risk compliance standards of the FFIEC.
1. Understand Your Level of Cybersecurity Risk and Preparedness
A Third-Party Risk Management Program that aligns with FFIEC's security guidelines should be an extension of an established information security program. To help financial institutions with poor security standards establish foundational cyber risk management practices, the FFIEC has developed a free Cybersecurity Assessment Tool based on the National Institutes for Standards and Technology's Cybersecurity Framework.
You can use this tool to perform a gap analysis across a set of cybersecurity domains aligning with the FFIEC's primary information technology security initiatives:
- Risk Management Processes.
- Customer Information Security.
- Effective Risk Management Audit Functionality.
- Internal Controls.
- Threat Intelligence across Information Systems.
- Endpoint Security.
- Secure Coding Practices.
Though the use of this tool is optional, it's a highly recommended method of assessing cybersecurity resilience if you currently don't have an established cybersecurity program.
How UpGuard Can Help
UpGuard offers a suite of features supporting continuous cybersecurity risk awareness across commonly exploited regions of the attack surface.
- Security Ratings - Quantitative security posture assessments of your internal IT ecosystems and all third-party vendors (including subcontractors) that are updated in real-time.
- UpGuard Vendor Risk - Assess each vendor's level of risk and likelihood of suffering a data breach.
- Third-Party Risk Assessment Management - Choose from a library of risk assessments based on popular cybersecurity frameworks and track their status.
- Regulatory Compliance Tracking - Map third-party security responses against popular cyber security standards to identify unmet regulatory requirements.
- Cybersecurity Report Generation - Keep board of directors and senior management informed of the state of your security posture and performance against cybersecurity metrics.
2. Implement a Third-Party Risk Management Program
A Third Party Risk Management Program equips financial institutions with the most comprehensive method for mitigating cybersecurity risks with third-party relationships. The FFIEC expects a TPRM program to address the final essential requirements:
- Due Diligence - Assess the incident recovery capabilities of new and existing Technology Service Providers (TSPs) and alignment against internal security standards.
- Ongoing Monitoring - Continuously monitor levels of operational risk, especially for critical activities involving sensitive customer data (see point 3 below for more information about this requirement).
- Contracts - Ensure vendor contracts stipulate compliance with applicable laws, the right to independent reviews, and third-party responsibilities for addressing security risks. The right to audit agreements should include the frequency and name of each required report, for example, SOC 2 reports.
For guidance on identifying and controlling risks associated with anti-money laundering, refer to this handbook by the FFIEC.
If you already have an established cybersecurity framework, a TPRM program should integrate with it and not replace it.
How UpGuard Can Help
UpGuard offers a TPRM solution that addresses the complete lifecycle of security risks for all third-party relationships. This risk management guidance is offered through the following features:
- Due Diligence - Secure the vendor onboarding process with security assessment and attack surface before the use of third parties is approved. Also, assess the risk profile and inherent risk levels of new TSPs against risk appetites.
- Remediation Management - Track remediation efforts of all discovered vulnerabilities and their predicted impact on security ratings.
- Ongoing Monitoring - Real-time monitoring for emerging third-party security risks
- Custom Third-Party Assessments - Build custom questionnaires to assess the efficacy of contingency planning, service disruption prevention strategies, and financial conditions of all third-party vendors.
- Compliance tracking - Build custom questionnaires to assess third-party vendor compliance with applicable laws such as the Gramm-Leach-Bliley Act (GLBA) and anti-money laundering laws.
- Vendor Shared Profile - Have third-party vendors host contracts and other relevant documentation on a shared profile readily available to FFIEC auditors.
- Data Leak Detection - Detect and address data leaks that could expedite third-party data breaches and other third-party risks violating the FFIEC's security standards.
3. Ongoing Monitoring of Attack Surface
The FFIEC requires financial institutions to continuously monitor Technology Service Providers (TSPs) for potential impacts on business resilience. This monitoring effort should involve assessments across the following key areas:
- Business Continuity Planning (BCP)
- Security controls.
- Alignment with vendor service level agreements.
- Potential impact from external events (which could include security incidents within the supply chain).
How UpGuard Can Help
UpGuard continuously monitors the third-party attack surface to discover emerging third-party risks that could facilitate data breaches. The results of these scans then feed a security rating algorithm to form a quantitative analysis of the efficacy of each third-party service provider's security controls.
For bespoke monitoring efforts, UpGuard offers a customizable security questionnaire builder, allowing financial institutions to create security assessments for virtually any area of FFIEC compliance, including all four essential monitoring categories listed above.
4. Third-Party Compliance Tracking
The FFIEC requires management to perform a formal assessment to identify the scope of risks across the following four risk categories.
- Reputational risks - Any reputational threats arising from information technology errors, including inefficient or delayed data breach notifications to impacted customers.
- Strategic risks - Any threats to poor strategic decisions caused by inadequate management experience.
- Compliance risks - Any threats to non-compliance with financial regulations, including non-compliance with third-party vendors.
- Interest rate risks - Processing errors leading to poor investment decisions.
How UpGuard Can Help
UpGuard helps financial institutions identify vendor compliance gaps that could result in an FFIEC violation by mapping security questionnaire responses to popular cybersecurity frameworks.
Other Cybersecurity Standards that Could Support Compliance with FFIEC
Other controls that could support compliance with FFIEC's third-party security standards include:
- Mult-Factor Authentication (MFA) - Implement MFA across all user accounts, not single-factor authentication, since hackers can easily exploit this security mechanism. Ideally, adaptive MFA should be implemented.
- Encrypt all Online Transaction Processes (OLTP) - All financial activities and sensitive customer information should be encrypted at rest and in motion.
- Periodic Internal Assessments - Conduct Periodic internal and third-party security assessments to identify and preemptively address vulnerabilities before they develop into breaches.
- Ensure Strong Board and Senior Management Support - Keep the board and senior managers involved in all information security program plans. Also, ensure management is continuously informed of the status and efficacy of cybersecurity efforts.
- Define Cybersecurity Roles and Responsibilities - Assign responsibilities for key cybersecurity initiatives and responses, ensuring alignment with Incident Response Plans.