FFIEC Assessment Tool Provides Repeatable and Quantifiable Process for Financial Institutions to Gauge Cybersecurity Risk and Preparedness
On June 30, the Federal Financial Institutions Examination Council (“FFIEC”) released a voluntary Cybersecurity Assessment Tool (“Assessment Tool”) to aid financial institutions in evaluating their inherent cybersecurity risk profile and determining their level of cybersecurity preparedness. The Assessment Tool provides financial institutions five criteria on which to evaluate their risk profiles: technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats. It also provides five criteria for evaluating cybersecurity preparedness, what the FFIEC calls “cybersecurity maturity”: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and response. Though the FFIEC says that use of the Assessment Tool is optional, the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) have said that it will be discussed or used during examinations of financial institutions.
The FFIEC is an interagency body that promotes uniformity in the supervision of financial institutions. Its members are the FRB, the FDIC, the National Credit Union Administration, the OCC, and the Consumer Financial Protection Bureau, as well as the State Liaison Committee, which represents state banking, savings institution and credit union supervisors.
In the summer of 2014, FFIEC members conducted a pilot assessment of cybersecurity readiness at more than 500 community financial institutions. In November of that year, the FFIEC released its general observations from the pilot assessment, concluding that “[t]oday’s financial institutions are critically dependent on [information technology (“IT”)] to conduct business operations” and that “[t]his dependence, coupled with increasing sector interconnectedness and rapidly evolving cyber threats, reinforces the need for engagement by the board of directors and senior management.” The FFIEC also highlighted the importance of a financial institution’s management understanding its inherent cyber risk, routinely discussing cybersecurity issues, monitoring threats, maintaining a dynamic control environment, managing third-party connections, and developing and testing business continuity plans that incorporate cyber incident scenarios.
In March 2015, the FFIEC outlined seven cybersecurity workstreams stemming from its pilot assessment. In addition to developing the Assessment Tool, the FFIEC committed to enhancing incident analysis, crisis management, training, policy development, and collaboration with law enforcement and intelligence agencies. FFIEC members also agreed to expand their focus on technology service providers’ ability to respond to cyber threats.
The Assessment Tool’s release comes amid heightened regulatory concern regarding financial institutions’ cybersecurity preparedness and growing calls from financial institutions for greater uniformity among the regulatory agencies in their respective cybersecurity examination procedures and questions. For example, testifying before the House Subcommittee on Financial Institutions and Consumer Credit this past April, the Executive Director of the Financial Services Sector Coordinating Council,1 Gregory T. Garcia, asserted that although “[t]he financial sector supports the need for regulatory guidance on effective standards of practice for cybersecurity risk management . . . there is not sufficient coordination among” the regulatory agencies.
According to the FFIEC, the Assessment Tool is designed for financial institutions of all sizes and is intended to provide a measurable and repeatable assessment tool, to be completed periodically on an enterprise-wide basis and as significant operational and technological changes occur. It can also be used before new products, services or initiatives are introduced to better understand how these might affect the institution’s cyber risk and preparedness.
The Assessment Tool is divided into two parts: an assessment of the institution’s inherent risk profile before implementation of any controls and an evaluation of the institution’s cybersecurity maturity as reflected by controls in place. By conducting both parts of the assessment, management can determine whether the institution’s cybersecurity preparedness is appropriate to its institution-specific risks. If needed, management can then take action to reduce risk or increase the institution’s maturity levels.
To complete the Assessment Tool, institutions first are to assess their inherent risk profile in the following five categories:
- Technologies and Connection Types: Among other things, the number of internet service provider and third-party connections the institution maintains, whether systems are hosted internally or externally, the extent of cloud services, and the use of personal devices.
- Delivery Channels: The variety and number of the institution’s product and service delivery channels, such as online, mobile and automated teller machine (ATM) operations.
- Online/Mobile Products and Technology Services: The different products and services offered by the institution, including various payment services such as debit and credit cards, person-to-person payments and global remittances. This category also includes consideration of whether the institution provides technology services to other organizations.
- Organizational Characteristics: Relevant characteristics include mergers and acquisitions, changes in the institution’s information technology environment, the number of direct employees and cybersecurity contractors, the number of users with privileged access, and locations of business presence, operations and data centers.
- External Threats: The volume and sophistication of cyberattacks targeting the institution.
For each criterion, an institution is to rate its risk level as least, minimal, moderate, significant, or most. To facilitate this process, the user guide for the Assessment Tool specifies various factors that inform each of the five categories above, along with qualitative and/or quantitative measures by which each factor can be evaluated. For example, within the category “Technologies and Connection Types,” one factor is wireless network access. Having no wireless network access is judged to be the “least” risk level, while having separate access points for guest wireless and corporate wireless is judged to be the “minimal” risk level; higher levels of risk apply depending on the number of users and access points. For each category above, there are between one and 14 different factors.
Institutions then are to evaluate their cybersecurity maturity in each of the following five domains:
- Cyber Risk Management and Oversight: The board of directors’ oversight and management’s implementation of an effective, enterprise-wide cybersecurity program with comprehensive policies and procedures, adequate resources and proper training.
- Threat Intelligence and Collaboration: Processes to effectively discover, analyze and understand cyber threats, and share threat information internally and with third parties.
- Cybersecurity Controls: Practices and processes used to strengthen the institution’s defensive posture through continuous, automated protection and monitoring, including controls used to prevent and detect cyberattacks as well as correct any vulnerabilities.
- External Dependency Management: A comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and information.
- Cyber Incident Management and Resilience: Incident resilience planning, strategy and testing; steps taken by management to identify, prioritize, respond to and mitigate the effects of threats and vulnerabilities; and proper escalation of information and reporting to key stakeholders, including regulators, law enforcement and customers.
Institutions are to rate themselves in each category as baseline, evolving, intermediate, advanced, or innovative. Within each category, the Assessment Tool’s user guide specifies two to four “Assessment Factors,” each of which is in turn broken down into sub-factors. For example, the Assessment Factors for the Cyber Risk Management and Oversight category are Governance, Risk Management, Resources, and Training and Culture. The Governance Assessment Factor is then broken down into sub-factors of Oversight, Strategy/Policies, and IT Asset Management. The user guide then provides extensive narrative descriptions of what institutional characteristics merit the various ratings.
According to the FFIEC, the controls needed to attain the lowest level of maturity—baseline—are consistent with minimum risk management and control expectations required by law and regulations or recommended in supervisory guidance, including the FFIEC IT Examination Handbook.
Financial institutions are rightly concerned about the proliferation of potentially inconsistent standards for cybersecurity preparedness. To address this issue, the FFIEC says that the Assessment Tool incorporates concepts from well-known industry standards, such as the National Institute for Standards and Technology (“NIST”) Cybersecurity Framework, and has released appendices mapping the tool to the NIST Framework and mapping its baseline items to the FFIEC IT Examination Handbook.
Use of the Assessment Tool by institutions is voluntary, but the FDIC has said its examiners “will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions,” and the OCC has said its examiners “will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.” In addition, the OCC and the FRB have said they will incorporate the Assessment Tool into their bank examination processes beginning late this year or early next year. The FFIEC has also said that it plans to update the Assessment Tool as cyber threats, vulnerabilities and operational environments evolve. The FFIEC encourages institutions to comment on the Assessment Tool through a forthcoming Federal Register Notice. Changes to the Assessment Tool may result from the notice and comment process.
Finally, the FFIEC says the Assessment Tool is intended to complement, not replace, an institution’s risk management processes and cybersecurity program. Individual state or federal regulators may also have more stringent cybersecurity expectations for the institutions they supervise.