Prepping for New Cyber ExamsHow a FEMA-Funded Training Program Can Help
Faced with beefed up cybersecurity exams by banking regulators next year that likely will scrutinize their security awareness efforts, banks and credit unions are looking for cost-effective ways to educate their boards and senior executives about critical issues.
One resource that could prove helpful is a free cybersecurity education program supported by the Department of Homeland Security and the Federal Emergency Management Agency.
This cybersecurity training now includes a new group of classes tailored for executives and business professionals who do not come from an IT background, says Catherine Gibson, training coordinator for Texas A&M University's Engineering Extension Service. The university is one of several that offers the training, available to public agencies and private businesses, such as banks and others.
"This is the only program from FEMA that is focused on the executive leadership and getting them involved in the cyber-planning, rather than just delegating that responsibility," Gibson says.
Al Pascual, director of fraud and security at Javelin Strategy & Research, encourages banks and other financial institutions to consider taking advantage of this federally funded program.
"While I have heard of some universities making the recordings of their classes available for free online, none that I am aware of offer complete courses on cybersecurity at no charge," he says. "I'd encourage CIOs and CTOs with a knowledge deficit on any of these topics to take advantage. But other senior executives could also benefit from an understanding of basic cybersecurity terminology and issues, as a pervasive culture of security awareness is something that always resonates with regulators."
Bill Nelson, president of the Financial Services Information Sharing and Analysis Center, says cyber-education programs offered by universities to businesses are common. But one that has funding from the DHS definitely has significant value.
"I think it would particularly help banking institutions and community institutions to get educated about cybersecurity," he says.
Nelson also says a number of state banking associations are offering similar programs, aimed at educating CEOs and CISOs about emerging threats through tabletop exercises. "It certainly will help the overall preparedness of the sector," he says.
Focus on C-Level Cyber Awareness
In November, the Federal Financial Institutions Examination Council summarized results from its summer cybersecurity assessment program, which was piloted at more than 500 community banks. The FFIEC noted in its findings that it planned to issue new or updated regulatory guidance specifically geared toward cybersecurity preparedness, an area where community banks and credit unions were found to have obvious weaknesses (see FFIEC to Update Cybersecurity Guidance).
One area called out by regulators in their assessments of those community institutions was a lack of cyberthreat awareness among C-level executives and boards of directors (see FDIC: What to Expect in New Guidance).
Exactly how regulators expect institutions to design their cybersecurity awareness programs remains to be seen, but security experts say examiners will want to know that top executives and boards of directors are aware of emerging cyberthreats and are communicating regularly their fraud and security teams to ensure they fully understand the steps being taken by their institutions to address those threats and mitigate risk.
Hord Tipton, executive director of (ISC)Â², a global information security training and certification organization, notes: "Without some formalized methods of internally educating your entire workforce, proving your organization has taken good faith efforts to safeguard customer data and PII [personally identifiable information] is not possible."
That's why Tipton says institutions should take advantage of educational opportunities, such as the federally funded program. But he cautions that banks need to make sure that the training programs they use are up to par.
"There is a lot of 'free' information out there, and, as expected, much of it varies in quality," Tipton says. "Unless the programs are adhering to acceptable standards or best practices, their value will be questioned. But the Texas A&M program has good sponsors and support in DHS and FEMA, so I can definitely see value."
The cybersecurity curriculum funded by the two federal agencies is part of a series of training and education courses offered by the National Cybersecurity Preparedness Consortium, a partnership between Texas A&M's Engineering Extension Service, The University of San Antonio, the University of Memphis, Norwich University and the University of Arkansas .
This year, the consortium has been updating its coursework for leadership training in cybersecurity, in response to emerging threats, Gibson says.
This group of courses, which falls under the program's Executive Leadership and Management Services, is a tailored cybersecurity and emergency response plan designed for executives, she says. The coursework, which is available on-demand online and taught by security industry practitioners and university professors, may be incorporated into any business's cybersecurity awareness training program, Gibson says.
"Cyber is part of the critical infrastructure, and FEMA wants to be sure banking institutions and other businesses have adequate awareness training," Gibson says.
To learn more about the courses offered, visit Texas A&M's cybersecurity course catalog.