On June 30, 2015, the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body that prescribes principles and standards for the federal examination of financial institutions, released a Cybersecurity Assessment Tool (“Assessment Tool”) intended to help institutions identify risks and consider their cybersecurity preparedness. The Assessment Tool’s release is in response to a pilot program conducted last year in which financial regulatory agency examiners conducted cybersecurity assessments of 500 community financial institutions during the summer of 2014.
The Assessment Tool consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The FFIEC indicates that upon completion of both parts, organizations will be able to evaluate whether their institution’s inherent risk and preparedness are aligned. The Assessment Tool is designed as a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.
The FFIEC lays out the following guidelines for institutions using the Assessment Tool:
- Step 1: Read the Overview for Chief Executive Officers and Boards of Directors, which offers insights on the benefits to institutions, the roles of the CEO and Board of Directors, and tips on how to support implementation.
- Step 2: Read the User's Guide to understand all of the different aspects of the Assessment Tool, how the Inherent Risk Profile and Cybersecurity Maturity relate, and the process for conducting the assessment.
- Step 3: Complete Part 1: Inherent Risk Profile to understand how each activity, service, and product contribute to the institution’s inherent risk and determine the institution’s overall inherent risk profile and whether a specific category poses additional risk.
- Step 4: Complete Part 2: Cybersecurity Maturity to determine the institution’s cybersecurity maturity levels across each of the five domains (Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats).
- Step 5: Interpret and Analyze the Assessment Results to understand whether the institution’s inherent risk profile is appropriate in relation to its cybersecurity maturity and whether specific areas are not aligned. If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels.
The FFIEC states that it will continue to update the Assessment Tool as cybersecurity threats evolve and is encouraging institutions to offer comments through an upcoming notice to be published in the Federal Register.
While the Assessment Tool is currently voluntary, financial regulatory agencies are expected to incorporate the tool into their examination processes as early as June 2016, according to Tim Segerson, deputy director of the office of examination and insurance at the National Credit Union Administration.
The FFIEC’s Cybersecurity Assessment Tool can be found here.