In 2014, the Federal Financial Institutions Examination Council (FFIEC) performed cybersecurity assessments with approximately 500 of its members to evaluate the cyber risk awareness of smaller institutions (those with less than $1 billion in total assets) and their preparedness to mitigate these hazards.
“Inherent risk fluctuates considerably from one financial institution to another.”
At the close of the assessment, FFIEC determined inherent risk fluctuates considerably from one financial institution to another. In response, FFIEC developed the Cybersecurity Assessment Tool to assist institutions in implementing programs that complement their already existing risk management process. This assessment tool, released in June 2015, incorporates cybersecurity-related principles and standards from several sources, including the National Institute of Standards and Technology and FFIEC’s Information Technology Handbook.
How the assessment tool functions
Thanks to the Cybersecurity Assessment Tool, chief executive officers and senior management now have a guide at their disposal to improve their understanding of their institution’s maturity when it comes to mitigating risk. This is especially important as an increasing number of cyberattacks are affecting organizations and their networks.
Implementation of the FFIEC tool would help ensure that the CEO and senior management:
- Have a plan in place to perform the assessment
- Guide and assist employee efforts to facilitate timely responses throughout the institution, creating an even stronger risk-based posture/culture
- Make decisions that are based on risk appetite or knowing how much risk the institution is comfortable with bearing
- Review, approve and support plans to address risk management and control weaknesses
- Analyze, document and present results to executives in a meaningful and understandable report
- Monitor performance and oversee changes to maintain or increase the desired level of cybersecurity preparedness as areas of cyber risk evolve
By implementing the FFIEC tool, the institution’s board would also have responsibilities that would include:
- Requiring management to establish the institution’s vision, risk appetite and strategic direction
- Approval of the assessment plans developed by management
- Review of management’s documented assessment results, inclusive of any reviews issued by independent individuals that had non-biased opinions on the results of testing performed by internal or external auditors
- Review the institution’s cybersecurity preparedness and alignment with its risks
- Review and approve plans to address the risk, control deficiencies and monitor the institution’s exposure to and preparedness for cyberthreats
Components of the Cybersecurity Assessment Tool
The assessment tool consists of the Inherent Risk Profile and the Cybersecurity Maturity. Cybersecurity inherent risk is the amount of risk posed by the financial institution’s technologies, network connections, organizational characteristics, external threats, and online and mobile platforms and services. This risk is evaluated before controls are implemented, even if risk-mitigating controls are already in place, and the tool will define the inherent risk from low to high (creating a baseline).
Cybersecurity maturity allows management to assess whether current controls provide the desired level of preparedness by measuring and evaluating the institution’s maturity level across five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
The tool is designed to offer a measurable and repeatable procedure to assess an institution’s level of cybersecurity risk and preparedness. For it to be a successful addition to an institution’s current procedures, it should be updated periodically as significant operational and technological changes occur.
Once management and the board understand their current inherent risks and maturity levels, the next step is to improve and close control gaps identified by the assessment.
What to expect from regulators
Currently, it does not appear that financial institutions will be heavily examined for compliance with these cybersecurity controls right away. However, this does not mean regulators won’t ask questions regarding the institution’s current state of cyber risk and cybersecurity maturity in the coming examination year.
The Board of Governors of the Federal Reserve has indicated it will provide financial institutions and the greater finance industry with the opportunity to comment on the assessment tool and will incorporate feedback. The stated goal of this process is to “minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles.”
According to its statement, the Fed will begin utilizing the assessment tool as part of its examination process in late 2015 or early 2016. The tool will help the Fed to evaluate a financial institution’s “cybersecurity preparedness in information technology and safety and soundness of examinations and inspections.”
The Office of the Comptroller of the Currency (OCC) also began implementing the assessment as part of the bank examination process in order to assess bank cybersecurity efforts. Examiners began incorporating the assessment into examinations in late 2015.
“While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity,” the OCC said in a statement.
Examiners with the Federal Deposit Insurance Corporation (FDIC) will also reference the Cybersecurity Assessment tool when speaking with a financial institution’s management during examinations in order to help institutions identify risks and assist in answering any questions.
Implementing the assessment tool
Information technology examinations are scored under the “M” in the CAMELS rating, which stands for Management Capability. If a financial institution chooses not to complete the cybersecurity assessment, this may raise a regulator’s concern about management’s ability to manage cyber risks.
The Cybersecurity Assessment Tool is one of the most significant guides the FFIEC has published in a number of years. This should be a major incentive for a financial institution to complete the assessment, in addition to the tool being developed by a first-class information security program.
Implementing the assessment tool is currently voluntary. However, LaPorte recommends getting a jump on it now before it is required. While the areas discussed in this blog will likely benefit your financial institution and provide a general direction for implementing the tool, more information and guidance is available on the FFIEC website.
If you have additional questions about the Cybersecurity Assessment Tool, how to begin, or need assistance in implementing the assessment, please contact Vincent J. Maggiore, CISA at [email protected] or Eric Bosch, CPA, at [email protected].