This document discusses the importance of cyber resilience for financial institutions when working with third-party service providers. It recommends that institutions implement: 1) third-party management procedures to oversee third parties, 2) ensure third parties can still deliver services during adverse scenarios, 3) test business continuity with third parties, and 4) identify and mitigate cyber threats. The FFIEC sets uniform standards and examines financial institutions, while the CPMI examines practices to enhance cyber resilience in financial market infrastructures.

1. When using third-party service providers, management should ensure adequate business resiliency through:
Third-Party Management, which involves due diligence procedures, regular monitoring, and strategic, integrative considerations with third-party servicers;
Third-Party Capacity, which considers third parties' abilities to deliver essential services under adverse scenarios, in addition to possible alternatives in the event of third-party failure;
Testing with Third-Party TSPs, which involves testing the business continuity resilience among the financial institution and third-party service providers, in addition to the review of test results and
remediation of any observed weaknesses; and
Cyber Resilience, which involves identification and mitigation of cyber threats to data and operational infrastructure, as well as effective incident response procedures to cyber attacks.
FFIEC conclusions
The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the
Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Consumer Financial Protection
Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.
Who is the FFIEC (Federal Financial Institutions Examination Council
Cyber resilience in financial market infrastructures
11 November 2014
Statement by CPMI Chair Benoît Cœuré
Cyber-related incidents have become more frequent in the last few
years, affecting all areas of the economy, with the financial sector
being no exception. Cyber threats are increasingly complex and
rapidly evolving, with diverse origins and motivations.
Today, the Committee on Payments and Market Infrastructures
(CPMI) has issued the report Cyber resilience in financial market
infrastructures, which examines some of the evolving practices and
concepts that financial market infrastructures (FMIs) are considering
and applying in their approaches to enhance cyber resilience.
The report notes that cyber resilience is increasingly becoming a top
priority within FMIs, although the CPMI's analysis, which was
supported by industry interviews, shows that there are differences
as to the form and maturity of FMIs' approaches to cyber resilience.
Cyber attacks: Risks for banks and BaFin activities
17 February 2015
BaFin -Cyber attacks
Cyber attacks do not affect only the banking industry, but all
industries. For that reason the Federal Government has presented a
draft IT Security Act (IT-Sicherheitsgesetz, only available in German),
which is intended to improve the IT security of all critical
infrastructures. BaFin has been setting requirements for banks’ IT
security management since as far back as 2006 in its Circular on
Minimum Requirements for Risk Management
(Mindestanforderungen für das Risikomanagement – MaRisk), which
was last updated in late 2012.
This article describes the requirements intended to minimize the
risk.
Protective measures:
 ISO 2700 Standards, BSI 100-1 to 100-4
IT security in the outsourcing activities and the purchasing of IT
systems
WASHINGTON, Feb. 11, 2015
A new Cyber Threat Intelligence
Integration Center is being
created under the auspices of
the director of national
intelligence22
New European Community (EC) laws governing data protection set to be implemented in the next two to three years will have a fundamental impact on the way that most organizations in
European Union (EU) member states implement security policies and report breaches. The Network and Information Security (NIS) ‘cyber security’ directive is set to be finalized in 2015
depending on how long it takes for the EU Council and Parliament to agree on a final version. Member States will then need to immediately begin preparing for compliance and complete
implementation by approximately the end of 2017. In addition, there is a separate plan to unify existing data protection regulations in force within the different EU countries
under a single law – the General Data Protection Regulation (GDPR) – currently set to be finalized in early 2015, compliance with which will become mandatory in 2017