FFIEC - Cybersecurity Requirements Compliance

ThreatAdvice vCISO Platform

Create an inherent risk profile annually and a perform a cybersecurity maturity assessment annually per FFIEC cybersecurity guidelines dated May 2017.
Have a risk appetite statement and a cybersecurity policy.
Contract and have performed independent third party intrusion tests (pen tests) at least annually depending on complexity of environment. Two per year usually expected.
Have external vulnerability testing done periodically. This is best done monthly, but quarterly may suffice for small entities.
Have an incident response plan that incorporates recovery from cybersecurity events.

Have an incident response policy that outlines the roles and responsibilities and requirements of the incident response plan.
Perform risk assessments annually against those threat sources associated with cybersecurity, virus, and malicious code.
Have backup policies that outline recovery requirements from malicious cyber events.
Contracts with service providers must have a breach, confidentiality, and notice section.
BCM (Business Continuity Management) plan guidance date November 2019 requires section on recovery from cybersecurity events.
Cybersecurity training must be part of annual security awareness training if not a separate training program.

While you’re at it, why not check out our related blog?

ThreatAdvice vCISO was designed with the goal to help financial institutions meet the cybersecurity requirements designated by the FFIEC.
Our vCISO software and team of experts work in tandem to ensure that you are prepared for your next exam as it re-lates to cybersecurity.
Talk to a NXTsoft salesperson for more information on how vCISO can help financial institutions meet FFIEC requirements as well as provide complete cybersecurity oversight for a financial institution.