On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released its long anticipated Cybersecurity Assessment Tool (press release here). The FFIEC is a formal interagency organization empowered to create uniform principles, standards and report forms for the federal examination of financial institutions governed by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB).
The Cybersecurity Assessment Tool is designed to assist all financial institutions in conducting a self-assessment of cyber risks and to inform their risk management strategies. Although it was prepared for financial institutions, the principles and processes outlined in the Assessment can be adapted and used by most organizations to inform management of their organization’s cybersecurity risks and preparedness.
The Assessment incorporates guidance and concepts from the National Institute of Technology (NIST) Cybersecurity Framework, which was prepared to provide guidance to critical infrastructure organizations to better manage and reduce cyber risk. In fact, the Tool has a mapping feature that allows mapping between the Assessment and the NIST Cybersecurity Framework.
The Assessment is divided into two parts: (1) Inherent Risk Profile; and (2) Cybersecurity Maturity.
Under the Inherent Risk Profile, an organization uses the Assessment to identify the baseline of risks posed by a variety of threat types as follows:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats.
A review of these threat types demonstrates that the Assessment is applicable to more than just financial institutions. These basic threats pose a risk to most organizations that have widely incorporated computers, mobile computing and the internet into their operations.
Under the Cybersecurity Maturity section, an organization uses the Assessment to compare the risk levels to the corresponding controls. The assessment helps the organization measure its cybersecurity preparedness practices, processes and policies over the following domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Control
- External Dependency Management
- Cyber Incident Management and Resilience
The Assessment also helps management interpret and analyze the results to guide decisions concerning the organization’s application of resources to appropriately address identified risks.
As the various financial regulatory agencies have incorporated cybersecurity into their institutional examinations, all financial institutions should begin to use the Assessment as soon as possible. Other organizations can also benefit from the guidance and principles contained in the Assessment.