Banks are a prime target for cybercriminals.
That’s because it takes, on average, 233 days—about 8 months—for a financial services institution to detect and contain a data breach (source: Varonis).
This alarming trend is why banks must be regularly audited.
A bank audit is a formal process in which an independent accounting specialist reviews the services, systems, financial statements, and/or procedures of a bank, credit union, or other financial institution. Every financial service company must undergo audits regularly in order to comply with legal and jurisdictional regulations, laws, and industry standards.
For community banks, this means complying with the Gramm-Leach-Bliley Act, also known as the GLBA. The GLBA “requires financial institutions … to explain their information-sharing practices to their customers and to safeguard sensitive data.”
In addition to an audit, another process banks could be subjected to is an exam.
Compliance audits are optional, proactive steps banks can take for cybersecurity protection. They are more comprehensive than an exam.
Exams are mandatory and are conducted by the state or the federal government. Each state has its own regulations, and federal regulations are different from those.
One of the best ways banks can prepare for audits and exams is with the Cybersecurity Assessment Tool (CAT).
“In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness,” says the FFEIC.
The CAT looks at approximately 500 cybersecurity components and helps banks assess the controls they have (or don’t have) in place.
One of the ways it does this is by helping security professionals understand cybersecurity maturity across five domains.
Broadly speaking, the CAT categorizes security controls for compliance audits across five domains:
Each domain looks at a number of cybersecurity risk assessment factors and components.
“Under each component,” the CAT tool says, “there are declarative statements describing an activity that supports the assessment factor at that level of maturity.”
In addition to the five domains, the CAT outlines five cybersecurity maturity levels, which ranges from the minimum expectations required by law to driving innovation within the industry.
Listed here are each maturity level along with an example of a control:
Now that you know more about the annual audit process, you’ll need to determine how best to complete it for your bank.
To complete the complex CAT, banks may consider working with an outside partner who has expertise in facilitating the audit and interpreting the exit notes for you.