1 minute read
Regulation And Supervision
• Regulators expect banks to address cyber risk either in their risk management and or informationsecurity frameworks or in their specific cyber security strategies. The latter includes requirements relatedto governance and oversight;risk ownership and accountability;informationsecurity;periodic evaluation and monitoringof cyber security controls;incident response; business continuity;and recovery planning.
• Supervisors assess bank’s cyber security controls and their monitoringand surveillance of emerging threats. These assessments are based on bank‘s adherence to existing industry standards.
Advertisement
• Supervisory assessments also include challenges to bank approaches to testingcontrols and the remediation of issues identified.
• Challenges can include the review of control testingreports, which may be part of a more formal testingprogram. Such a program could employ various testingmethodologies and practices, such as vulnerability assessment, penetration testingand red team testing.
Cyber Incident Response And Recovery
• Regulators expect banks to establish a framework for incident response and recovery that may include cyberspecific business continuity and disaster recovery requirements. The seven components:
• Governance
• Planning and preparation
• Analysis
• Mitigation
• Restoration and recovery
• Coordination and communication
• Improvement
