The FFIEC member organizations suggest that financial institutions of all sizes use the Assessment Tool to perform an assessment of their cybersecurity risk posture to evaluate the effectiveness of their cybersecurity risk management practices. While the use of the Assessment Tool is currently optional, regulators plan to incorporate the tool and its results into their exam approach sometime in 2016.
The Assessment Tool is designed to provide institutions with a measureable and repeatable process to assess an institution’s level of cybersecurity risk and management/mitigation. The Assessment Tool is meant to be an enterprise-wide risk management tool used and revisited periodically by management, and as significant technological changes occur. The Assessment Tool has two main components that all financial institutions must become familiar with: the Inherent Risk Profile and Cybersecurity Maturity.
Inherent Risk Profile
This area of the assessment helps the institution identify the inherent risk relevant to cyber risks using a common framework. The Inherent Risk Profile takes into account the financial institution’s various activities, services and products organized into the following categories:
Technologies and Connection Types
Online/Mobile Products and Technology Services
Inherent risk levels are to be selected for each of the activities, services or products within each of these categories. Inherent risk assessments do not take current mitigating controls into consideration when identifying the risk.
This area of the assessment helps the institution determine the maturity level within each of the following five domains:
Cyber Risk Management and Oversight
Threat Intelligence and Collaboration
External Dependency Management
Cyber Incident Management and Resilience
The maturity level within these five domains is then assessed based on a set of pre-defined declarative statements that describe how the behaviors, practices and processes of an institution can consistently produce the desired outcomes. The maturity levels range from “Baseline” to “Innovative.”
Once these exercises have been performed, it is up to the financial institution to analyze and interpret the results to understand if the risk and maturity level of the institution are properly aligned. Management should then use this information to assist the institution in maintaining an appropriate level of cybersecurity preparedness.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.