Rapidly increasing cyber risks make it essential for banks to conduct regular tests of their cybersecurity preparedness, including vulnerability and penetration testing. According to IBM’s “Cost of a Data Breach Report 2024,” the average breach cost $6.08 million in the financial industry (defined as banking, insurance and investment companies). That’s second only to health care. To help prevent cyberattacks, banks must develop effective information security programs and test them regularly to ensure that they’re operating as expected.
According to the Federal Financial Institutions Examination Council’s (FFIEC’s) Information Technology Examination Handbook, the primary testing tools include self-assessments, penetration tests, vulnerability assessments and audits. Penetration testing is particularly important, given the speed with which hackers’ techniques are evolving. It involves subjecting a system to real-world attacks selected and conducted by the testers to identify weaknesses in business processes and technical controls.
FFIEC to retire Cybersecurity Assessment Tool
The FFIEC will “sunset” its Cybersecurity Assessment Tool (CAT) at the end of August 2025. First made available nearly 10 years ago, the CAT is a voluntary tool banks can use to identify their cybersecurity risks and determine their preparedness. The FFIEC notes that while “fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.”
Government resources include:
Industry resources include:
and search for “the profile,”) and
The FFIEC doesn’t endorse any particular tool, but says that these standardized tools can assist banks in their self-assessment activities.
CFPB targeting improper overdraft opt-in practices
In a recent Consumer Financial Protection Circular (2024-05), the Consumer Financial Protection Bureau (CFPB) explained how to tell if a bank is violating the Electronic Fund Transfer Act and Regulation E. A violation may happen if the bank lacks proof that it has obtained consumers’ affirmative consent before levying overdraft fees for ATM and one-time debit card transactions.
Regulation E’s overdraft provisions establish an “opt-in” regime. The CFPB clarifies that banks are prohibited from charging such fees unless consumers affirmatively consent to enrollment. The form of records that demonstrate consent may vary depending on which channel the consumer uses to opt in to covered overdraft services.
© 2024