On October 18, 2016, the Federal Financial Institutions Examination Council published a set of Frequently Asked Questions to help financial institutions utilize the Council’s Cybersecurity Assessment Tool. The FAQs were announced as part of FIL-68-2016.
The Cybersecurity Assessment Tool is a voluntary process designed to help the management of financial institutions measure their cybersecurity risks and their ability to respond to a threat. The Tool was issued in June of 2015.
The FAQs address questions such as:
- Why did the FFIEC release the Assessment? A. To help institutions develop a “measurable” and “repeatable” mechanism to address the growing cybersecurity threats;
- How does the Assessment align with the NIST Cybersecurity Framework? A. The Assessment was developed using this framework along with the FFIEC IT Examination Handbook and “industry accepted cybersecurity practices.”
- Will the FFIEC release an automated version of the Assessment. A. Not at this time.
- Can the Assessment be used as part of my institutions’ oversight of third parties? A. Yes.
- Does the FFIEC plan to update the assessment? A. Yes, as threats and risks evolve.