From the: Summer 2022 Newsletter

Charlie Clark Moderates Cybersecurity Panel
DFI Director Charlie Clark moderating the Cybersecurity Panel Presentation at the AARMR Regulator and Industry Conference on August 10, 2022

DFI recognizes the importance of staying informed on cybersecurity issues and sharing the latest information with licensees.

In his role as a member of the Board of Directors for the American Association of Residential Mortgage Regulators (AARMR), DFI Director Charlie Clark moderated a panel on Cybersecurity at the August Annual AARMR Regulatory Conference. He also provided introductory remarks for a Conference of State Bank Supervisors (CSBS)/U.S. Treasury table top exercise for banks conducted virtually on July 13.

Banks
The Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board, and the Office of the Comptroller of the Currency issued the joint final rule to establish computer-security incident notification requirements for banking organizations and their service providers. The rule requires that all FDIC-supervised banking organizations must notify the FDIC as soon as possible, and no later than 36 hours, after the firm determines that a computer-security incident has occurred.  In addition to notifying the FDIC, banks should also notify their Division of Banks primary contact.

Credit Unions
The Division of Credit Unions’ (DCU) Information Security & Technology (IS&T) exam team is now fully staffed with two highly credentialed full-time IS&T examiners and a supervisor. An initial goal was to establish an IT contact with each credit union, so we can efficiently provide guidance and support to the right people at the credit unions in the area of cyber threat identification and monitoring. With the contact update largely completed in early 2022, DCU began sending guidance to the industry regarding the numerous cyber security threats that have become more prevalent in the recent months.

Consumer Services
The industries regulated by DFI’s Division of Consumer Services (DCS) have strong information security state and federal requirements. We examine for compliance with these laws on every exam. We have several examiners with deep cyber security training and experience. We also have training resources and examination tools through our affiliation with the Conference of State Bank Supervisors.  DCS also provides a number of cyber security tools to our licensees including general security self-assessments and ransomware self-assessments.  

Securities
Prior to their first examination, licensees of the Division of Securities receive a technical assistance visit from a securities examiner to discuss regulations they must comply with, including the requirement for a policy addressing cybersecurity.

Helpful cybersecurity resources

Russia Cyber Threat Overview and Advisories
The latest cyber advisories from the Cybersecurity & Infrastructure Security Agency (CISA) regarding the Russia-Ukraine conflict.

NIST Cybersecurity Framework
Cybersecurity Framework from the National Institute of Standards and Technology that can help businesses improve their ability to manage cybersecurity risk.

Critical Security Controls
The Center for Internet Security (CIS) is a community-driven nonprofit that has created a framework of best practices for securing IT systems and data. They released the eighth revision of their Critical Security Controls in 2021.

CISA: Known Exploited Vulnerabilities Catalog
This is a centralized catalog of known exploited vulnerabilities of products that many businesses use every day. The catalog shows the vendor/project, product, name of the vulnerability, when it was added, a brief description of the issue, and the recommended action to take.

CISA: Cyber Incident Response Information and Resources
Cyber incident response resources from the Cybersecurity and Infrastructure Security Agency (CISA).