On October 18, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued answers to frequently asked questions (FAQs) to clarify points in FFEIC’s Cybersecurity Assessment Tool (Assessment). FFIEC released the Assessment in June 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness. The Assessment incorporates cybersecurity principles from the FFIEC Information Technology (IT) Examination Handbook (the IT Handbook) and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the NIST Framework). While FFIEC’s Assessment is a good tool for banks to evaluate their cybersecurity standards, some banks experienced challenges mapping processes to the NIST Framework and interpreting FFIEC’s IT Handbook. FFIEC’s FAQs should resolve these common issues, but they also raise other questions.
Questions Answered by FFIEC
The FFIEC does not intend to release an automated version of the Assessment, but they recommend the automated version that the Financial Services Information Sharing and Analysis Center (FS-ISAC) developed with the Financial Services Sector Coordinating Council. Given that financial institutions should already be participating the FS-ISAC, institutions should consider using the FS-ISAC automated version of the Assessment. FFIEC further noted that banks can use the Assessment as part of their third party risk management program and described how banks can account for controls implemented by third party service providers. Finally, FFIEC described the distinctions between declarative statements that repeat at different maturity levels and provided helpful advice on how banks should determine their inherent risk profile, as well as their cybersecurity maturity within each of the five domains.
Questions Raised by FFIEC
The FFIEC clarified that using the Assessment is voluntary and that banks may choose to use the Assessment, or another framework, or another risk assessment process to identify inherent risk and cybersecurity preparedness. However, the FFIEC did not confirm that using the NIST Framework would be acceptable or how the FFIEC would examine an institution that used a risk assessment process that did not map baseline statements to FFIEC’s IT Handbook. Furthermore, the FFIEC did not provide any minimum cybersecurity standards that must be incorporated into an institution’s risk assessment process. The FFIEC mentioned that “the booklets of the IT Handbook are undergoing revision to incorporate changes in the industry since the last publication”, but did not say whether it will adopt requirements consistent with the first-in-the-nation minimum cybersecurity regulations proposed (Proposed Regulations) by the New York Department of Financial Services (NY DFS) on September 13, 2016. While it raises an open question for now, FFIEC would do well make the cybersecurity guidance in the next update of the IT Handbook consistent with the NY DFS Proposed Regulations.