Following guidance set forth by NIST and others, the Federal Financial Institutions Examination Counsel (FFIEC) recently released a Cybersecurity Assessment Tool with the purpose of assisting federally supervised institutions navigate the treacherous domains of cyberspace. As a reminder, the FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the Federal Deposit insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau and to make recommendations to promote uniformity in the supervision of financial institutions. Generally speaking, the FFIEC supports the foregoing agencies by establishing extensive guidelines for compliance with various regulations such as those adopted by the Gramm-Leach-Bliley Act (GLBA) of 1999.
The Cybersecurity Assessment Tool consists of two parts: 1) Inherent Risk Profile and 2) Cybersecurity Maturity, and fleshes out some of the principles highlighted within the FFIEC’s IT Handbook while formalizing prior cybersecurity recommendations outlined by the Counsel.
As to determining risk profile, the Counsel recommends examining five distinct categories: technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics and external threats. After risk profile is identified, the next step is the evaluate cyber maturity using the following factors: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management and cyber incident management and resilience.
Recognizing that there is no “one size fits all” solution to cybersecurity, the Assessment Tool adopts many principles espoused by the NIST framework, with the ultimate goal of aligning risk with maturity. Cleary, the FFIEC expects organizations to make thoughtful decisions regarding their cybersecurity postures, but also understands that outlays must be proportionate to expected risk. The Assessment Tool is a valuable resource for determining your organization’s cybersecurity sweet spot.
Note: for more on the FFIEC’s Cybersecurity Assessment Tool please visit: http://www.ffiec.gov/cyberassessmenttool.htm