On June 30, 2015 the Federal Financial Institutions Examination Council issued a Cybersecurity Assessment Tool (Assessment) that financial institutions may use to evaluate their risks and cybersecurity preparedness. Examiners will gradually incorporate the Assessment into examinations of all banks.
The FFIEC stated that the Assessment will help banks and examiners determine a bank’s inherent risk profile and level of cybersecurity preparedness. In addition to the Assessment, the FFIEC has also made available resources institutions may find useful, including an executive overview, user’s guide, an online presentation explaining the assessment, and appendices mapping the Assessment’s baseline items to the FFIEC Information Technology Examination Handbook and to the National Institute of Standards and Technology’s Cybersecurity Framework.
Background
One year ago, FFIEC members piloted a cybersecurity examination work program at more than 500 community banks to evaluate their preparedness to mitigate cyber risks. This effort supplemented existing examination work planned for each institution. As a result, the FFIEC announced seven work streams that, in addition to release of the assessment tool, included plans to enhance FFIEC agencies’ incident response analysis, crisis management training, and policy development, as well as a focus on technology service providers’ cybersecurity preparedness.
Assessment Tool
There are two parts to the Assessment: an inherent risk profile and cybersecurity maturity.
- Inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats – notwithstanding the bank’s risk-mitigating controls.
- Cybersecurity maturity is evaluated in five domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative. A bank’s appropriate cybersecurity maturity levels will depend on its inherent risk profile.
By reviewing both the institution’s inherent risk profile and maturity levels across the domains, the FFIEC states that management can determine whether the bank’s maturity levels are appropriate in relation to its risk. If not, the bank may take action either to reduce the level of risk or to increase the levels of maturity. The FFIEC states that this process is intended to complement, not replace, the bank’s risk management process and cybersecurity program.
The Assessment is designed to provide a measurable and repeatable process to assess an institution’s level of cybersecurity risk and preparedness. It is intended to be used primarily on an enterprise-wide basis and when introducing new products and services. Enterprise-wide, management can review the inherent risk profile and the declarative statements to understand which policies, procedures, processes, and controls are in place and where gaps may exist. Management can determine appropriate maturity levels for the institution in each domain or the target state for Cybersecurity Maturity. Using the Assessment before launching a new product, service, or initiative can help management understand how these might affect the bank’s inherent risk profile and resulting desired maturity levels.
The FFIEC Cybersecurity Assessment Tool contains an Overview for Chief Executive Officers and Boards of Directors. In addition to listing the benefits banks will derive from use of the Assessment, this overview discusses the role of the CEO and board of directors regarding cybersecurity preparedness. The overview provides questions to assist management and the board when using the Assessment.
While the use of the Assessment is optional for institutions, examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity. Examiners will begin using the Assessment in late 2015.
The Assessment Tool and related information can be found at the following link: http://www.ffiec.gov/cyberassessmenttool.htm
The OCC will host a webinar on the Assessment Tool for its midsize and community bankers on July 30, 2015 from 2:00 PM to 3:30 PM ET. More information can be found on the OCC website: www.occ.treas.gov
