Compliance Blog

Jul 06, 2015

FFIEC Releases Cybersecurity Assessment Tool

Written by Bernadette Clair, Senior Regulatory Compliance Counsel

Happy Monday! I hope everyone had a fun-filled 4th of July! Last week, the Federal Financial Institutions Examination Council (FFIEC) announced the release of a cybersecurity assessment tool designed to help financial institutions assess their cybersecurity risks and preparedness. Creating this tool was one of the FFIEC’s cybersecurity priorities for 2015. We blogged about this, and the FFIEC’s other cybersecurity priorities here. It also follows on the heels of a pilot assessment of cybersecurity preparedness at more than 500 community institutions that the FFIEC conducted in the summer of 2014.

The tool walks users through a two-part assessment. The first step is determining an institution’s “inherent risk profile” which looks at inherent cyber risks in five categories without factoring in mitigating controls that the institution has in place. These categories include:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

The second step is assessing the institution’s “cyber maturity” level in five areas referred to as domains:

  • Domain 1: Cyber Risk Management and Oversight
  • Domain 2: Threat Intelligence and Collaboration
  • Domain 3: Cybersecurity Controls
  • Domain 4: External Dependency Management
  • Domain 5: Cyber Incident Management and Resilience

Once these steps are complete, an institution can use the results to determine if its cyber maturity levels are appropriate for its inherent risk profile, or if adjustments are needed such as reducing particular risks or strengthening cyber maturity levels. Periodic reevaluation is recommended and the FFIEC plans to update the tool as threats, vulnerabilities and operational environments evolve.

Several resources are provided along with the tool, including a work process flow for institutions, an overview for CEOs and boards of directors, and appendices that cross-reference cybersecurity related principles and guidance from the FFIEC Information Technology (IT) Examination Handbook (Appendix A to the assessment tool) and concepts from industry standards such as the National Institute of Standards and Technology (NIST) (Appendix B to the assessment tool).

A twenty-minute video presentation is also available, which discusses cyber risk trends, FFIEC priorities to address these trends, and the objectives of the cybersecurity assessment tool. (PDF slides available here.)