OUR THOUGHTS ON:

FFIEC Cybersecurity Assessment Tools Released - Are You Prepared?

Cybersecurity|Financial Services|Technology

By Dan Desko

Remember the FFIEC Pilot Program?  The assessment is here!

On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool (Assessment Tool) to help financial institutions identify their cybersecurity risks and assess their preparedness.  The release of this assessment comes on the heels of the FFIEC’s cybersecurity pilot assessment at more than 500 financial institutions around the nation.

The FFIEC member organizations suggest that financial institutions of all sizes use the Assessment Tool to perform an assessment of their cybersecurity risk posture to evaluate the effectiveness of their cybersecurity risk management practices.  While the use of the Assessment Tool is currently optional, regulators plan to incorporate the tool and its results into their exam approach sometime in 2016.

The Assessment Tool is designed to provide institutions with a measureable and repeatable process to assess an institution’s level of cybersecurity risk and management/mitigation.  The Assessment Tool is meant to be an enterprise-wide risk management tool used and revisited periodically by management, and as significant technological changes occur.  The Assessment Tool has two main components that all financial institutions must become familiar with: the Inherent Risk Profile and Cybersecurity Maturity.

Inherent Risk Profile

This area of the assessment helps the institution identify the inherent risk relevant to cyber risks using a common framework.  The Inherent Risk Profile takes into account the financial institution’s various activities, services and products organized into the following categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

Inherent risk levels are to be selected for each of the activities, services or products within each of these categories.  Inherent risk assessments do not take current mitigating controls into consideration when identifying the risk.

Cybersecurity Maturity

This area of the assessment helps the institution determine the maturity level within each of the following five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

The maturity level within these five domains is then assessed based on a set of pre-defined declarative statements that describe how the behaviors, practices and processes of an institution can consistently produce the desired outcomes.  The maturity levels range from “Baseline” to “Innovative.”

Once these exercises have been performed, it is up to the financial institution to analyze and interpret the results to understand if the risk and maturity level of the institution are properly aligned.  Management should then use this information to assist the institution in maintaining an appropriate level of cybersecurity preparedness.

Contact us to learn more about the FFIEC Cybersecurity Assessment Tool and how Schneider Downs can help you become compliant, and visit our blog, Our Thoughts On, for more articles relating to this topic.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments