The Office of the Inspector General (OIG) at the Board of Governors of the Federal Reserve System (FRB) found in its latest evaluation report that the board needs to clarify its cybersecurity incident response processes to effectively respond to cyber incidents at institutions that FRB supervises.
The report, published on June 26, found that that board has not consistently followed its own cybersecurity guidance, and that the board has a number of unclear roles and responsibilities among key stakeholders overseeing cyber incident response.
“In response to the increasing frequency and sophistication of cybersecurity incidents at Board- supervised institutions and their service providers, S&R [Division of Supervision and Regulation] developed a playbook that seeks to establish procedures and protocols for effective, consistent, and replicable supervisory actions in response to cybersecurity incidents,” stated the OIG.
The report was initiated in August 2022 to help indicate where vulnerabilities appeared in the FRB’s cybersecurity response process.
The watchdog outlines two key findings which include updating guidance to clarify the mission and governance structure of the cybersecurity incident response process, as well as enhancing training on the cybersecurity incident response process.
The report offers the following recommendations:
- Update the playbook to clarify the mission and reflect the governance structure of the cybersecurity incident response process;
- Update the oversight plan for the Cybersecurity Analytics Support Team (CAST) to clearly describe the governance structure of the cybersecurity incident response process;
- Update CAST’s operating procedures to reflect the governance structure;
- Update the playbook to clarify the requirement for completing an after-action review (AAR) after a cybersecurity incident and the party responsible for completing it;
- Update the Board’s December 2018 playbook implementing guidance to reflect the governance structure of the cybersecurity incident response process;
- Require that key stakeholders in the cybersecurity incident response process complete training or other exercises on their roles and responsibilities in the process once the updates to the playbook and its implementing guidance have been completed.
The FRB concurred with those recommendations.
“We believe that these enhancements will improve the effectiveness of the cybersecurity incident response process and that the Board should prioritize addressing these items,” stated the OIG.