Why it matters
As anticipated, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool, providing a process for financial institutions' management to gauge their institution's readiness in the face of increasing cybersecurity threats.
While the FFIEC noted that use of the Assessment Tool is voluntary, the release materials include an Overview for Chief Executive Officers and Boards of Directors, signaling that that regulators expect top-level management to ensure that their institutions systematically assess and manage cybersecurity risks. Further, several banking agencies plan to use the Assessment Tool in future regulatory exams.
Noting the "increasing volume and sophistication of cyber threats," the FFIEC, which consists of the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the State Liaison Committee, released its highly anticipated Cybersecurity Assessment Tool on June 30, 2015.
Based on a pilot program in which the FFIEC evaluated 500 community financial institutions' preparedness to mitigate cyber risks, the Assessment Tool consists of a series of matrices that enable an institution to gauge its cybersecurity preparedness. To help navigate the Assessment Tool, the FFIEC provided a User's Guide, an Overview for Chief Executive Officers and Boards of Directors, a Glossary, and additional resources.
The Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System have announced that they plan to use the Assessment Tool in examinations beginning as early as late 2015. The FDIC intends to discuss the use of the Assessment Tool with institution management during regulatory exams.
The Assessment Tool consists of two parts: an Inherent Risk Profile and analysis of the financial institution's Cybersecurity Maturity. "Upon completion of both parts, management can evaluate whether the institution's inherent risk and preparedness are aligned," the FFIEC explained.
In Part 1, the Inherent Risk Profile, a financial institution determines its overall risk profile based on five categories: technologies and connection devices; delivery channels; online/mobile products and technology services; organizational characteristics; and external threats. Using descriptions of activities, a financial institution will determine which of the five levels of risk it falls into, ranging from least to minimal to moderate to significant to most inherent risk. After assessing each of the services, products, and activities, "management can review the results and determine the institution's overall inherent risk profile."
In Part 2, the Cybersecurity Maturity analysis, a financial institution considers its readiness based on five domains: cyber risk management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; and cyber incident management and resilience. Management evaluates whether its institution's behaviors, practices and processes can support cybersecurity preparedness for each domain by determining which of the Assessment Tool's declarative statements best fit the institution's current practices. For example, in the fifth domain—cyber incident management and resilience—the assessment factors include incident resilience planning and strategy; detection, response, and mitigation; and escalation and reporting.
Once both parts of the Assessment Tool are complete, management can review the relationship between the Inherent Risk Profile and the Cybersecurity Maturity results for each domain to determine whether they align. No single expected level exists for an institution, the FFIEC notes, although in general, "as inherent risk rises, an institution's maturity levels should increase."
The Assessment Tool's results can then help management identify what actions may be necessary to either decrease risk or heighten maturity.
Because financial institutions' Inherent Risk Profile and Cybersecurity Maturity levels will change over time, management should reevaluate the institution using the Assessment Tool periodically, the FFIEC suggests, particularly when making new connections or launching new products. In addition, the FFIEC plans to update the Assessment Tool "as threats, vulnerabilities, and operational environments evolve."
To access the Cybersecurity Assessment Tool and the other additional resources released by the FFIEC, click here.
The Office of the Comptroller of the Currency will host a webinar discussing the Assessment Tool for midsize and community banks on July 30, 2015, from 2:00 p.m. to 3:30 p.m. (ET). Click here for more information.