Cyber & IT Supervisory Forum - November 2023

Regulatory Considerations

Regulatory Landscape Overview •Evolving Compliance Demands: Outline the increased complexity and expectations around cybersecurity for financial institutions. •Interagency Collaboration: Highlight recent efforts by financial regulatory agencies to synchronize cybersecurity regulations. Effective Incident Response Plans: •FDIC Guidelines: Reference the Federal Deposit Insurance Corporation's requirements for rapid response to limit damage from cyber incidents. •Customization for Banks: Discuss the need for banks to tailor their incident response plans to their specific operations and risk profiles. Compliance: Beyond Checking Boxes: •SEC Regulations: Detail the Securities and Exchange Commission’s expectations for cybersecurity disclosures and protocols to protect investor data. •NY DFS Cybersecurity Requirements: Summarize key points from the New York Department of Financial Services' stringent cybersecurity regulations, including penetration testing and risk assessment mandates. New Guidance on Third-Party Risk Management (TPRM): •Federal Banking Agencies Guidance: Introduce the June 2023 joint release from the Federal Reserve, FDIC, and OCC on new TPRM guidelines, emphasizing its significance for banking operations. •Risk Management Integration: Discuss the importance of integrating TPRM into the overall cybersecurity posture, stressing vendor risk assessments and management. Increased Accountability – SEC / SolarWinds

15

Intelligence-Driven Cyber Defense Strategies

Proactive Threat Identification

Training & Awareness

Enhanced Supply Chain Security

Collaborative Information Sharing

Risk Management

Leverage real-time threat intelligence for early detection. Utilize platforms for updated threat data. Strategic Security Planning: Plan defenses based on attacker TTPs (Tactics, Techniques, and Procedures). Early warning buys time – pre-empt attacks .

Continuous threat landscape analysis. Dynamic risk profile updates

Regular security awareness programs for staff. Updates on phishing and social engineering tactics.

Assess and monitor third party vendor security. Regulatory Alignment: Stay informed on cybersecurity regulatory updates. Ensure compliance and leverage for protection.

Engage in industry coalitions for shared intelligence. Adaptive Response Mechanisms: Rapid adaptation of defense strategies to emerging threats.

16