On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) published its Cybersecurity Assessment Tool (Assessment) to help financial institutions identify cybersecurity risks and determine their preparedness through a repeatable and measurable process over time. The FFIEC is the interagency body responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the nonfinancial institution subsidiaries of those institutions and holding companies. Its constituent members include the Consumer Financial Protection Bureau (CFPB), the FDIC, the Federal Reserve, the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC). It also coordinates with state financial regulators.
This tool was developed for financial institutions due to their inherent risks and dependence on information technology, their interconnectedness, and their evolving cyber threats. The FFIEC materials point out that its constituent members are reviewing and updating their substantive guidance for regulated institutions.
The Assessment consists of two parts: an inherent risk profile and a cybersecurity maturity evaluation. The inherent risk profile consists of determining the levels of inherent risk (from least to most, excluding mitigating controls) for each of the institution's activities, services, and products across five categories:
- technologies and interconnection types
- delivery channels
- online or mobile products and technology services
- organizational characteristics
- external threats
The cybersecurity maturity evaluation attempts to measure the applicable controls (increasing from baseline to innovative) across five domains:
- cyber risk management and oversight (governance, risk management, training, and resources)
- threat intelligence, monitoring, and collaboration
- cybersecurity controls (prevention, detection, and correction)
- external dependency management
- cyber incident management (including mitigation and reporting) and resilience
The Assessment is designed to help combine the inherent risk profile of each category with the related cybersecurity maturity for each domain to ensure the institution achieves an appropriate maturity level for each inherent risk (with the greatest maturity level required with respect to the highest risk levels).
The tool also contains an overview for institutions boards of directors and senior management, which clearly shows the trend of making cybersecurity a senior management and board responsibility, and not just an IT function. Moreover, it is expected that the regulators will examine cybersecurity issues with greater scrutiny in their examinations. Accordingly, boards of directors and senior management, regardless of institution size, will need to continue to focus on cybersecurity issues.