What Banks Need to Know About FFIEC’s New Cybersecurity Assessment Tool

Recent high-profile cyber-attacks targeting institutions such as JPMorgan Chase and cyber-threats such as Dyre malware (an aggressive Trojan targeting the banking industry), showed that cyber incidents can have significant financial, operational, legal, and reputational impact on financial institutions. Cybersecurity is not just an IT issue; it is a business issue that warrants the attention of bank leadership.

Per the Verizon 2015 Data Breach Investigations Report, there were 642 information security incidents in the financial services industry last year. Out of those 642 security incidents, 242 were confirmed data losses.

Numbers like these are stark reminders that cybercrime is a reality, and it can lead to additional costs and headaches for financial institutions and their customers. The aftermath of a cyber attack may include consumer credit monitoring, legal fees, forensic fees, exposure to reputational damage (which may be difficult to quantify), and public relations campaigns.

As a result, more leaders of financial institutions have been learning how to integrate cybersecurity throughout their institutions as part of enterprise-wide governance processes and risk management, information security, business continuity, and vendor management. As a response to the growing threat of cybercrime, the Federal Financial Institutions Examination Council (FFIEC) recently developed the Cybersecurity Assessment Tool.

New cybersecurity assessment tool

The two-part assessment tool was designed to increase awareness of cybersecurity risks and to help bank boards of directors and bank management assess and mitigate the cybersecurity risks facing their institutions. It is based on recognized information technology and cybersecurity frameworks, including FFIEC IT handbooks and National Institute of Standards and Technology (NIST) framework.

The FFIEC Cybersecurity Assessment Tool can assist banks in:

  • Identifying factors contributing to cybersecurity risk
  • Assessing the institution’s overall cybersecurity risk
  • Assessing the institution’s cybersecurity preparedness
  • Evaluating whether the institution’s cybersecurity preparedness is aligned with its cybersecurity risks
  • Identifying risk management practices and/or controls that may need to be added or enhanced
  • Evaluating the maturity level of the institution’s cybersecurity program

The two parts of the assessment are Inherent Risk Profile and Cybersecurity Maturity.

  1. Inherent risk profile

The first part of the assessment tool can be used to evaluate the institution’s inherent risk profile before implementing controls in the following five areas noted in the FFIEC Cybersecurity Assessment Tool:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

The tool asks management to identify the number of internet service providers, unsecure external connections, personal devices permitted to connect the institutions networks, end-of-life systems, open source software, online presence (social media), and emerging payment technologies.

  1. Cybersecurity maturity

The second part of the tool, cybersecurity maturity, is divided into five maturity levels: Baseline, Evolving, Intermediate, Advance, and Innovative. Each maturity level is broken down into five domains.  Overall, there are 15 assessment factors, 30 components, and 500 declarative statements (across all maturity levels).

Management can evaluate the institution’s cybersecurity maturity level for each of the five domains outlined in the assessment tool:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

In completing the initial steps of the assessment tool, banks can go through the inherent risk categories and the specified processes and controls to identify and evaluate the inherent cybersecurity risk to the institution and the maturity level of their cybersecurity program. The assessment tool’s documentation indicates that institutions are expected to have, at minimum, a Baseline maturity level.

Implementing processes and controls for a Baseline maturity level may require time and coordination between different areas of the bank. However, institutions may already have processes and controls in place to achieve the Baseline level, many of which may be tested during the bank’s annual IT audit based on the FFIEC IT booklets.

Looking ahead

Ever-evolving and growing cybersecurity threats and vulnerabilities mean that an institution’s inherent risk profile and maturity levels may change over time. Therefore, the cybersecurity assessment should be completed at least once a year or any time significant operational and technological changes occur. Furthermore, based on Office of the Comptroller of the Currency (OCC) Bulletin 2015-31, the OCC will gradually incorporate the assessment into examinations of banks of all sizes in late 2015. Thus, while the FFIEC Cybersecurity Assessment Tool is currently optional for financial institutions, it may be a requirement in the near future.

Chief risk officers and information security officers can expect to have conversations with examiners about the tool in coming examinations. Therefore, institutions should consider conducting the assessment, identifying any gaps in the Baseline maturity level, and testing the effectiveness of those controls. Additionally, management may wish to identify a target maturity level and use the tool to identify processes and controls needed to reach that level. Financial institutions can conduct the cybersecurity assessment internally or engage a qualified consulting firm to assist in the process.