The Federal Financial Institutions Examination Council (FFIEC) recently issued an assessment tool meant to assist financial institutions in the detection of cybersecurity vulnerabilities and the prevention of cyber attacks.
The FFIEC is an interagency body that develops the principles and standards used by agencies and organizations empowered to examine financial institutions, such as the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation. Earlier this year, the FFIEC released a list of its cybersecurity priorities for 2015.
According to the FFIEC, cyber attacks increasingly threaten financial institutions’ financial, operational, legal and reputational wellbeing. The FFIEC’s new tool is designed to assist financial institutions in avoiding these threats by:identifying factors contributing to, and determining the institution’s overall, cyber risk; assessing the institution’s cybersecurity preparedness; evaluating whether the institution’s cybersecurity preparedness is aligned with its risks; determining risk-management practices and controls that could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness; and informing risk-management strategies.
Because cybersecurity risks constantly evolve, the FFIEC noted in its overview, the assessment is meant to serve as a “repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”
The assessment is broken into two parts. The “Inherent Risk Profile” assists a financial institution in determining the level of risk associated with its activities, services and products. The “Cybersecurity Maturity” assessment helps management to measure cybersecurity preparedness within five “domains”:Cyber-risk management and oversight Threat intelligence and collaboration Cybersecurity controls External-dependency management Cyber-incident management and resilience.
In November, the FFIEC released observations associated with its own cybersecurity assessment conducted in the summer of 2014 at 500 financial institutions. The resulting guidance recommended that financial institutions enhance management-level employees’ understanding and awareness of cybersecurity risks.
The November report further noted that sophisticated attackers develop dynamic tools and techniques targeted to specific products and services. Thus, it is important to understand the unique risks posed by the financial institution’s specific menu of offerings (for instance, risks associated with the institution’s own ACH, ATMs, mobile applications, and/or cloud computing). The FFIEC recommended that all financial institutions participate in the Financial Services Information Sharing and Analysis Center, a forum for the sharing of information related to cybersecurity threats and incidents.
According to the FFIEC’s press release, it will accept comments regarding the assessment pursuant to an upcoming notice in the Federal Register. In addition, the OCC will host a webinar about the Cybersecurity Assessment Tool at 2-3:30 p.m. (ET) on July 30.