Compliance Blog

Jun 09, 2017

Updated FFIEC Cybersecurity Assessment Tool; What Are Your Credit Union's Online Compliance Training Needs?

The Federal Financial Institutions Examination Council (FFIEC) has updated the Cybersecurity Assessment Tool to reflect changes to the FFIEC IT Examination Handbook. The assessment updates reflect changes to the FFIEC's Information Security and Management booklets.  Additional response options included in the assessment now allow a credit union's management to include supplementary or complementary behaviors, practices and processes that represent current practices of the credit union in supporting its cybersecurity activity assessment.

One item to note is the addition of a new third response option for answering cybersecurity maturity declarative statements.  Where previously there was only the ability to answer yes and no, now there is a yes response with a "compensating controls" option.The User's Guide defines "compensating controls" as:  "A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides (sic) equivalent or comparable protection for an information system."  This option is intended to allow an institution the ability to meet the requirements of the declarative statement indirectly with other security measures controls and a level of flexibility not previously allowed.

There is also a revised mapping to the updated booklets in Appendix A. The mapping within the appendix is by domain, then by assessment factor and category with each statement sourced to its origin in an appropriate FFIEC IT Examination Handbook. The last page within the appendix contains the source reference key.

In addition, the FFIEC website reflects updates as of May 2017 to the following sections within the assessment tool:

The FFIEC assessment tool is intended to assist with determining an institution's risk profile, inherent risks and cybersecurity preparedness.  It provides a repeatable and measurable process to assist management in measuring cybersecurity preparedness over time.

NAFCU has also developed an interactive cybersecurity assessment tool workbook for NAFCU members, in an editable, self-tallying file that allows a credit union to self-test cyber risk and readiness in a shareable format with visual results.  The Regulatory Compliance team will be analyzing the FFIEC updates with an eye to any necessary adjustments to the NAFCU interactive workbook. 


Online Credit Union Compliance Training:  Find the right online compliance training for your credit Union!  Answer a few quick questions and instantly get a customized plan and price on the industry's best online training. 

About the Author

Shari Pogach, NCCO, NCBSO, Regulatory Paralegal, NAFCU

 Shari Pogach, NCCO, NCBSO, Regulatory Paralegal

Shari R. Pogach, NCCONCBSO, has served as Regulatory Paralegal for NAFCU's Regulatory Compliance and Regulatory Affairs divisions since 2007.

Read full bio