On October 18, 2016, the Federal Financial Institutions Examination Council published a set of Frequently Asked Questions to help financial institutions utilize the Council’s Cybersecurity Assessment Tool. The FAQs were announced as part of FIL-68-2016.

The Cybersecurity Assessment Tool is a voluntary process designed to help the management of financial institutions measure their cybersecurity risks and their ability to respond to a threat. The Tool was issued in June of 2015.

The FAQs address questions such as:

  • Why did the FFIEC release the Assessment? A. To help institutions develop a “measurable” and “repeatable” mechanism to address the growing cybersecurity threats;
  • How does the Assessment align with the NIST Cybersecurity Framework? A. The Assessment was developed using this framework along with the FFIEC IT Examination Handbook and “industry accepted cybersecurity practices.”
  • Will the FFIEC release an automated version of the Assessment. A. Not at this time.
  • Can the Assessment be used as part of my institutions’ oversight of third parties? A. Yes.
  • Does the FFIEC plan to update the assessment? A. Yes, as threats and risks evolve.

The FAQ’s are available here, and the Assessment Tool is available here.