New Regulations from the Farm Credit Administration (FCA)

New Regulations

The Farm Credit Administration (FCA) announced a new cyber risk management rule effective January 1, 2025. This rule requires farm credits to implement a comprehensive, written cyber risk management program that is tailored to their specific size, risk profile, and complexity.

Per the FCA, your cyber risk management program is required to include the following:

• Assessment of internal and external risk factors
• Identify potential systems and software vulnerabilities
• Establish a risk management program for the risks identified
• Develop a cyber risk training program
• Set policies for managing third-party relationships
• Maintain robust internal controls
• Establish institution board reporting requirements

This might sound like a lot, but we’ve broken down these requirements into specific, actionable activities that will help your Farm Credit pass its next FCA examination.

Assessment of Internal and External Risk Factors

Assessing risk is an integral part of any cybersecurity program. Knowing where your risks are can help prioritize your resources and budgets where they are most needed. A Risk Assessment is generally considered the best place to start your efforts.

A good risk assessment inventories the assets your company has, the controls you have in place to protect them, and what leftover risk exists. This can be completed through interviews with IT staff or managed service providers, talking through any controls and how well they are protecting your assets. As it currently stands, farm credits can opt to do their risk assessment internally, or contract with a third-party provider.

TraceSecurity recently developed an IT audit and risk assessment framework aligned with the FCA examination guidance to assist farm credits with the new requirements. Our Risk Assessments come with your risks prioritized by criticality and actionable recommendations for improvement.

Identify Potential Systems and Software Vulnerabilities

With new attack vectors being discovered every day, regular identification of vulnerabilities on your software and systems is incredibly important. It’s considered best practice to perform vulnerability scanning at least annually, and/or anytime a major update is made to the networks. In the last few years, many organizations are opting for quarterly or monthly scans to stay ahead of the latest vulnerabilities.

TraceSecurity uses the Qualys Scanner Appliance to perform our Vulnerability Assessments. Qualys is widely considered the most robust scanner on the market, with daily signature library updates and minimal false positives. Qualys can run both authenticated and unauthenticated scans depending on the priorities of your organization.

Once you have identified your risks and vulnerabilities, you need to have a plan to mitigate and manage them long term. Whether it’s being handled in-house or through an MSP, you should have internal documentation about how your risks are being managed.

The Qualys scanner appliance and scan results can be managed in our TraceInsight Vulnerability Management platform. It allows you to run unlimited scans on your own, run additional reports, assign remediation activities, and log improvement over time.

Develop a Cyber Risk Training Program

Employees are considered to be the weakest part of any organization’s information security posture. No matter how strong your networks and systems are, human error remains an easy-to-exploit avenue for attackers. People are regularly taken advantage of through malicious emails and phone calls, or even something as simple as holding the door open for someone.

Security awareness training comes in many forms, the most traditional being a formal presentation to all employees. Typically done annually, this is good for consistency and setting a tone of security awareness across your organization. TraceSecurity’s information security analysts have performed countless trainings, both onsite with the employees and remotely over video call.

There are also video-based trainings that can be assigned on a schedule throughout the year for more regular reinforcement. Our TraceEducation platform includes over 30 in-house developed educational videos with quizzes to reinforce key takeaways, with new videos being added monthly.

Beyond training, more and more companies are actually testing their employees against these types of attacks. Testing can include simulated phishing attacks, vishing phone calls, and even onsite social engineering attempts. Each of these can give you an idea of how well your employees will hold up against the real-world attacks. Help reinforce good behaviors like reporting phishing emails, verifying callers and visitors, and being suspicious of any unexpected communication.

Set Policies for Managing Third-Party Relationships

Third-party relationships are essential to most businesses, but can also pose a huge security risk. Depending on what they do for you, vendors may have access to sensitive internal information and data. You may be doing your due diligence when it comes to internal cybersecurity protections, but this can only go so far if your vendors are not following suit.

Any company working with third-parties should have policies and standards in place for vendor management. These should include acceptable use policies for your data, vetting processes, risk mitigation strategies, compliance standards, and escalation procedures in the event of a breach. It’s becoming more and more common for businesses to require vendors to adhere to specific security and compliance standards. Even if that vendor is not required to meet those requirements on their own, the businesses they want to do work with require a certain level of security. For example, managed service providers for the financial industry typically adhere to FFIEC standards in order to maintain good working relationships with banks and credit unions. Government contractors are often required to have certain cybersecurity certifications or standards before they will even be considered.

During the vetting process for new vendors, it’s extremely important to check their internal security standards and policies and determine if they are in line with your own policies. For long-standing vendors, they should be reviewed on a regular basis to ensure they are maintaining an acceptable level of security.

If you already have vendor management policies in place, be sure to review and update them regularly. With new tools and updates coming out every day, there are always new security concerns to address and prepare for.

Maintain Robust Internal Controls

Security controls are typically split into three categories: preventative, detective, and corrective. They make up your main line of defense against malicious attackers.

Preventative controls include things you do to avoid a breach from ever happening. Things like multi-factor authentication, security awareness training, and separation of duties are all security controls that keep breaches from happening while employees work their typical day-to-day.

Detective controls are designed to spot a breach happening in real time, like intrusion detection systems, managed SIEM solutions, and malware detection software. In the event of a breach, these systems will alert IT staff of any unusual or malicious activity, ideally giving enough notice to stop it in it’s tracks and minimize the damage.

Corrective controls are the things you need in place to handle and minimize a breach when it occurs. This includes things like your incident response and disaster recovery plans. The people and processes involved with how to handle a breach should be formally documented, updated regularly, and even tested against simulated scenarios.

The best way to determine the security controls you have in place, and their effectiveness, is through IT security auditing. With a comprehensive view of all security controls in place, you can determine where any gaps lie and where improvement can be made.

For a more granular view of certain control areas, penetration tests and configuration reviews can provide additional recommendations. Penetration tests can focus down on your internal or external network, wireless networks, online or mobile applications, and more. Configuration reviews can be performed against your firewalls, servers, VPNs, Microsoft 365 environments, and more.

Establish Institution Board Reporting Requirements

The last requirement from the FCA is to have processes in place for reporting all of these activities to your board. This will likely involve aggregating the various reports from each piece of your cybersecurity training and testing. Employee training completion, testing success, and security control verifications are all important information for the board to know and understand. This is especially important if you need additional budget to address security concerns found during testing and training.

Conclusion

A comprehensive cyber risk program is instrumental to the continued success of farm credits. Protecting employee and member information is extremely important to maintaining business operations and reputation. The FCA is committed to enforcing these new requirements, and TraceSecurity is here to help you tackle them head on. Get in touch to see how we can help you stay in compliance and protect your members!

You can read the official update from the FCA here: https://ww3.fca.gov/news/Lists/News%20Releases/Attachments/697/NR-23-15-10-05-23.pdf