On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool and User’s Guide (“Guide”) intended “to help institutions identify their risks and assess their cybersecurity preparedness.” Financial institutions handling sensitive customer data should view this as a mixed blessing.
It is often said by technology and cybersecurity experts that the question is not whether a company will experience a security breach, but when. The important question then is how the company responds to that breach. One implication of these statements is that an institution should do the best that it can, but that no one should be punished too severely when the inevitable breach occurs. It was, after all, unavoidable.
The release of the Cybersecurity Assessment Tool arguably changes that analysis. Now there are more specific standards against which institutions may be judged. Those who fail to conduct an adequate cybersecurity risk assessment and implement appropriate controls can expect, when the inevitable security breach occurs, that plaintiffs and regulators will point to the Cybersecurity Assessment Tool as evidence that the institution failed to take appropriate steps to mitigate the risks.
The Guide uses somewhat unusual terminology, but those institutions that already perform risk assessments in other areas should recognize the concepts. As with many good risk assessments, such as for consumer compliance or BSA/AML compliance, the Cybersecurity Assessment Tool has two parts: (1) identify the inherent risk and (2) identify the specific controls and practices that are in place to mitigate that risk, which the Guide refers to as the institution’s “Cybersecurity Maturity level.”
Inherent risk is the risk that simply exists before implementing controls. This risk profile assesses five categories and examples of factors to consider in each include:
- Technologies and Connection Types – wired vs. wireless access, outsourced vs. internally hosted systems, use of cloud services, and vendor access to internal systems;
- Delivery Channels – online and mobile delivery of services vs. in-branch services;
- Online/Mobile Products and Technology Services – issuance of credit, debit and prepaid cards, P2P payments, trust services, merchant acquiring services and global remittances;
- Organizational Characteristics – number of employees, IT considerations, number of locations, mergers and acquisitions; and
- External Threats – phishing campaigns and distributed denial of service attacks
The institution then should evaluate its Cybersecurity Maturity level for five domains:
- Cyber Risk Management and Oversight – Address management’s development, and the board’s oversight, of an enterprise-wide cybersecurity program that includes employee training and customer awareness.
- Threat Intelligence and Collaboration – Identify and monitor threats, then share information with internal and external stakeholders.
- Cybersecurity Controls – Continuously take preventative action, implement threat detection and alert procedures and resolve issues identified during scans and tests.
- External Dependency Management – Oversee and manage all third party connections through due diligence, written agreements and ongoing monitoring.
- Cyber Incident Management and Resilience –Involves planning, testing and implementing business continuity and disaster recovery plans, while also addressing mitigation efforts and notification requirements.
The inherent risk profile assessment should be completed periodically and “as significant operational and technological changes occur.” The Guide states that an institution “may want” to perform these periodic assessments, but no institution wants to have to say after a breach that “we did this assessment a few years ago and everything looked great then.”
In order to be sure that the assessment is effective and up to date, it should be conducted annually on an enterprise-wide basis and before launching any new product, service, or initiative so that the financial institution can increase its cybersecurity efforts to meet the additional risk burden.
It is important to note that the inherent risk profile is based on 5 risk levels, not low, medium and high, because the latter approach would not account for variations in depth and coverage and most institutions would inevitably come out with an overall risk rating of medium. The 5 risk levels are based on the type, volume and complexity of the operations within each category being assessed and the potential threats that are typically directed at or associated with such operations.
While a financial institution clearly cannot control or avoid all attempted hacks, the financial institution cancontrol how it responds to and mitigates the potential impact of a breach by having a tested action plan in place that is responsive to the level of risk facing an institution and its operations. The Guide contains more details on identifying and filing cybersecurity gaps and each bank needs to read, understand and implement the Guide. Non-bank entities that provide third party services to banks will also need to be aware of how the Guide will indirectly impact their cybersecurity expectations and requirements.