On June 30, 2015, the Federal Financial Institutions Examination Council (“FFIEC”) released a Cybersecurity Assessment Tool (“Tool”) to aid financial institutions in identifying cybersecurity risks and to determine their ability to manage those risks. The Tool seeks to provide a repeatable process for institutions to assess their cyber preparedness over time by incorporating the FFIEC’s Information Technology Handbook, the National Institute of Standards and Technology Cybersecurity Framework, and other regulatory guidance.
The Tool emphasizes the importance of engagement in cybersecurity planning and development by senior management of a company, including the chief executive officer and the board of directors. The Tool states that management should engage by developing assessments, supporting risk management plans, and overseeing modifications to those policies.
The Tool also contains two additional parts, the Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile is a methodology for allowing financial institutions to categorize levels of risk, from least inherent to most inherent risks. These risks could include delivery channels, mobile technology, and external threats. The Cybersecurity Maturity matrix ranks an institution’s cybersecurity controls from Baseline to Innovative, supported by declarative statements. When taken together, the two parts of the Tool allow an institution to identify areas in need of improvement.