Chief Executive Officers, Managers, and Trustees/Directors of financial institutions and non-depository institutions should ask specific questions when developing a cybersecurity program. You should also ensure satisfactory responses are available.
The Conference of State Bank Supervisors (CSBS) developed these questions based on the five functions of the NIST Cybersecurity Framework.
Identify function questions
- Does my institution understand what information it manages, where the information is stored, how sensitive the information is, and who has access to it?
- What are my institution’s key business assets? Do I have adequate protection for them?
- What types of connections does my financial institution have (VPNs, wireless, LAN, etc.)? How are we managing these connections?
- How is staff at my institution identifying risk? Do they provide me with accurate and timely information about those risks?
- What is our ability to mitigate those risks?
- How is my institution connecting to third parties? How do they manage cybersecurity controls?
Protect function questions
- How effective are my institution’s policies and procedures for monitoring information inventory?
- Do my IT personnel have the right knowledge or skills to protect against a potential cyber attack?
- Is my staff informed about cyber threats? Do they have an understanding of risk from their actions?
Detect function questions
- How are our Trustees/Directors and senior managers informed about the current level and business impact of cyber risks to our organization?
- Are we prepared to prevent or limit the damage caused by these attacks?
Respond function questions
- Have we created an effective incident response plan? How often is it tested?
- What would we do if we were hacked today?
- Do we have a plan to inform internal and external stakeholders of an incident?
Recover function questions
- Does my financial institution’s incident response plan include steps for recovering after a cyber attack?
- When did we last test our incident response plan?
- How will we communicate with internal staff, consumers, third parties, regulators, and law enforcement regarding a data breach at my financial institution?