Remember the FFIEC Pilot Program? The assessment is here!
On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool (Assessment Tool) to help financial institutions identify their cybersecurity risks and assess their preparedness. The release of this assessment comes on the heels of the FFIEC’s cybersecurity pilot assessment at more than 500 financial institutions around the nation.
The FFIEC member organizations suggest that financial institutions of all sizes use the Assessment Tool to perform an assessment of their cybersecurity risk posture to evaluate the effectiveness of their cybersecurity risk management practices. While the use of the Assessment Tool is currently optional, regulators plan to incorporate the tool and its results into their exam approach sometime in 2016.
The Assessment Tool is designed to provide institutions with a measureable and repeatable process to assess an institution’s level of cybersecurity risk and management/mitigation. The Assessment Tool is meant to be an enterprise-wide risk management tool used and revisited periodically by management, and as significant technological changes occur. The Assessment Tool has two main components that all financial institutions must become familiar with: the Inherent Risk Profile and Cybersecurity Maturity.
Inherent Risk Profile
This area of the assessment helps the institution identify the inherent risk relevant to cyber risks using a common framework. The Inherent Risk Profile takes into account the financial institution’s various activities, services and products organized into the following categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Inherent risk levels are to be selected for each of the activities, services or products within each of these categories. Inherent risk assessments do not take current mitigating controls into consideration when identifying the risk.
This area of the assessment helps the institution determine the maturity level within each of the following five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
The maturity level within these five domains is then assessed based on a set of pre-defined declarative statements that describe how the behaviors, practices and processes of an institution can consistently produce the desired outcomes. The maturity levels range from “Baseline” to “Innovative.”
Once these exercises have been performed, it is up to the financial institution to analyze and interpret the results to understand if the risk and maturity level of the institution are properly aligned. Management should then use this information to assist the institution in maintaining an appropriate level of cybersecurity preparedness.
Contact us to learn more about the FFIEC Cybersecurity Assessment Tool and how Schneider Downs can help you become compliant, and visit our blog, Our Thoughts On, for more articles relating to this topic.