Banks and insured depository institutions are the targets of frequent and increasingly sophisticated cyberattacks. To address this problem, the Federal Financial Institutions Examination Council (FFIEC) – a government interagency body that prescribes uniform guidances, principles, and standards for depository institutions – has prioritized the strengthening of industry cybersecurity initiatives. Despite preventative efforts to thwart cyberattacks in the financial sector, some entities are unaware of their institutional vulnerabilities. In response, the FFIEC launched a “Cybersecurity Assessment Tool” to help institutions identify their risks and determine their cybersecurity maturity. The FFIEC developed the guidelines after consultations with other industries and consistent with the National Institute of Standards and Technology Cybersecurity Framework.

The Cybersecurity Assessment Tool provides institutions with a “repeatable and measurable process” to identify institutional threats and cybersecurity preparedness. The assessment consists of two parts: the “Inherent Risk Profile” assessment, and the “Cybersecurity Maturity” assessment.

Part one, the Inherent Risk Profile, measures a financial organization’s potential vulnerability to cyberattacks. The risk profile is based on five categories through which the organization’s activities, products, and services are assessed according to risk levels ranging from least risk to most inherent risk. The five categories are:

  1. Technologies and Connection Types
  2. Delivery Channels
  3. Online/Mobile Products and Technology Services
  4. Organizational Characteristics
  5. External Threats

Once the tool identifies the institution’s overall inherent risk and the threats associated with specific products, activities, or services, then management can measure the institution’s cybersecurity maturity.

Part two, the Cybersecurity Maturity assessment, identifies the overall health, innovation, and effectiveness of an entity’s cybersecurity methods and practices. Depository institution’s cybersecurity operations are categorized into five domains, which are evaluated through a series of “assessment factors.” For example, one of the domains, “Cyber Risk Management and Oversight” is evaluated by analyzing the assessment factors of governance, risk management, and resources of the organization.

Based on the results of the Cybersecurity Maturity Assessment, every depository entity is categorized into one of several levels of maturity:

  1. Baseline- institution adheres to the minimum expectations required by law and includes primarily client-driven objectives.
  2. Evolving- institution implements additional formalities and documented procedures or policies that are not already required by law.
  3. Intermediate- institution’s cybersecurity system follows detailed, formal processes and the controls are both validated and consistent. Further, risk management practices are integrated into a broad comprehensive strategy.
  4. Advanced- institution’s cybersecurity practices are well integrated across the business. In addition, the practices are automated and continue to improve.
  5. Innovative- institution drives cybersecurity processes, development and technologies for the industry to manage cyber-risk. The development of new tools and real time predictive analytics are tied to automated responses.

For directors and officers of corporations, utilization of this self-assessment tool will be very beneficial, both to protect the company from a cyber-incident or data breach, as well as to insulate the board from liability in the event that a derivative or other claim is asserted against the board. Particularly important is the fact that the assessment tool outlined by the FFIEC contemplates a “repeatable and measurable process” to evaluate corporate preparedness. An objective assessment such as this – if implemented thoughtfully and correctly – will go a very long way to insulating the board from liability under business judgment rule, should the board be sued.  (See Palkon v. Holmes, 2014 WL 5341880, D.N.J., Oct. 20, 2014; In Re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Ct. of Chancery, Del., 1996.)

The FFIEC’s new Cybersecurity Assessment Tool allows depository entities to monitor the intersection between cybersecurity risk and development. Because financial products and entities continue to progress and implement new technologies, coupled with ever-increasing and sophisticated cyberattacks, the use of the FFIEC assessment tool can help to expose vulnerabilities and limit the threat of cyberattacks across the industry. For more information on the FFIEC Cybersecurity Assessment Tool, please click here.

Ellie Gonso