Senior Management and Boards Should Be Actively Addressing and Incorporating Cybersecurity into Their Overall Enterprise Risk Management Framework
- The Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool (CAT) on June 30, 2015, to assist organizations in identifying cyber risks and assessing their cybersecurity preparedness.
- A critical point regarding the CAT is that it is intended to complement – not replace – an institution’s risk management process and cybersecurity program.
- By addressing a letter directly to CEOs and board members, the FFIEC has made clear exactly what it believes are the responsibilities of those in the “C-Suite” and board rooms.
The Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool (CAT) on June 30, 2015, to assist organizations in identifying cyber risks and assessing their cybersecurity preparedness. The CAT, in essence, is an assessment model, as opposed to a technical tool, and is designed to be a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. A critical point regarding this process, however, is that it is intended to complement – not replace – an institution’s risk management process and cybersecurity program.
The principles set forth in the CAT are consistent with the FFIEC Information Technology Examination Handbook and the National Institute of Standards and Technology (NIST) Cybersecurity Framework in addition to standard industry practices. The CAT is broken down into two parts: (1) Inherent Risk Profile and (2) Cybersecurity Maturity. (See Holland & Knight's Privacy Blog, "FFIEC Launches Cybersecurity Assessment Tool," July 1, 2015.)
The FFIEC has also published several other resources to supplement the CAT, including an Overview for Chief Executive Officers and Boards of Directors (Executive Overview). The FFIEC recommends that organizations first read the Executive Overview before implementing the measures set forth in the CAT.
In the Executive Overview, the FFIEC outlines what it views as the roles and responsibilities of chief executive officers (CEOs) and board members as well as key considerations for management when implementing the CAT. Given the focus and attention on cybersecurity from regulators (here, for example, the CFPB, FDIC, FRB, NCUA, OCC and SLC) as well as legislators, it is important that non-IT staff know what this means to them. By addressing a letter directly to CEOs and board members, the FFIEC has made clear exactly what it believes are the responsibilities of those in the “C-Suite” and board rooms. (See Holland & Knight's Privacy Blog, "Congress Turns to Cyber and Data Breach Legislation," April 14, 2015.)
The following are the roles of key players and essential considerations according to the FFIEC.
Role of CEOs
The FFIEC states that the role of the CEO, with management’s support, includes responsibility for:
- developing a plan to conduct the CAT assessment
- leading employee efforts during the CAT assessment to facilitate timely responses from across the institution
- setting the target state of cybersecurity preparedness that best aligns to the board’s stated (or approved) risk appetite
- reviewing, approving, and supporting plans to address risk management and control weaknesses
- analyzing and presenting results for executive oversight, including key stakeholders and the board, or an appropriate board committee
Role of Boards of Directors
The FFIEC identifies the role of the board (or an appropriate board committee) as having the following responsibilities:
- engaging management in establishing the institution’s vision, risk appetite and overall strategic direction
- approving plans to use the CAT
- reviewing management’s analysis of the CAT assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results
- reviewing management’s determination of whether the institution’s cybersecurity preparedness is aligned with its risks
- reviewing and approving plans to address any risk management or control weaknesses
- reviewing the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyberthreats
Key Considerations for Management and Boards
The FFIEC noted that an essential part of implementing the CAT is to validate the organization’s process and findings as well as the effectiveness and sufficiency of the plans to address any identified weaknesses. To assist management and the board in doing so, the FFIEC provided several key questions for consideration throughout this process:
Cybersecurity Management and Oversight
- What are the potential cyberthreats to the institution?
- Is the institution a direct target of attacks?
- Is the institution’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board or an appropriate board committee?
- Do the institution’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
- What is the ongoing process for gathering, monitoring, analyzing and reporting risks?
- Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology?
- Are the accountable individuals empowered with the authority to carry out these responsibilities?
- Do the inherent risk profile and cybersecurity maturity levels meet management’s business and risk management expectations? If there is misalignment, what are the proposed plans to bring them into alignment?
- How can management and the board, or an appropriate board committee, make this process part of the institution’s enterprise-wide governance framework?
Inherent Risk Profile (CAT Part One)
- What is the process for gathering and validating the information for the inherent risk profile and cybersecurity maturity?
- How can management and the board, or an appropriate board committee, support improvements to the institution’s process for conducting the CAT assessment?
- What do the results of the CAT assessment mean to the institution as it looks at its overall risk profile?
- What are the institution’s areas of highest inherent risk?
- Is management updating the institution’s inherent risk profile to reflect changes in activities, services and products?
Cybersecurity Maturity (CAT Part Two)
- How effective are the institution’s risk management activities and controls identified in the CAT assessment?
- Are there more efficient or effective means for attaining or improving the institution’s risk management and controls?
- On what third parties does the institution rely to support critical activities?
- What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?
- How does management validate the type and volume of attacks?
- Is the institution sharing threat information with peers, law enforcement and critical third parties through information-sharing procedures?
The CAT assessment is designed to enhance cybersecurity oversight and management capabilities, identify gaps in risk management practices and inform associated risk management strategies. The FFIEC’s recommendations reinforce the notion that cybersecurity is now an issue that boards and senior management should not only be considering but also actively addressing and incorporating into their overall enterprise risk management framework.