FFIEC Cybersecurity Assessment Tool – Another Risk Assessment?

FFIEC Cybersecurity Assessment Tool – Another Risk Assessment?

In June of 2015, the FFIEC rolled out a Cybersecurity Assessment Tool designed to help institutions identify their risks and determine their cybersecurity maturity. While the content within this advisory is certainly not new material, the documentation requirements and format for banks is new. The FFIEC sites that their new assessment tool is consistent with the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It has been speculated that regulators will begin looking at financial institutions’ compliance with this new advisory as early as May of 2016.

The Assessment advises financial institutions to take part in two exercises: An Inherent Risk Profile and a Cybersecurity Maturity Level exercise. Both the Inherent Risk Profile and the Cybersecurity Maturity Levels are broken down into five parts/areas described at a high-level below:

Inherent Risk Profile

• • Technologies and Connection Types
    • ISP (Internet Service Providers)
    • Third-party connections
    • Wireless
    • Volume of network traffic and devices
    • End-of-life systems
    • Cloud services
    •  Personal devices

• • Delivery Channels
    • Online availability
    • Mobile availability
    • ATM operations
  • Online/Mobile Products and Technology Services
    • Payment services
    • P-2-P (person-to-person) payments
    • ACH
    • Wire transfers
    • Wholesale payments
    • Merchant remote deposit capture
    • Treasury services
    • Client and trust services
    • Global remittances
    • Correspondent banking
    • Merchant activity
  • Organizational Characteristics
    • Recent mergers and acquisitions
    • Number of direct employees and contractors
    • Changes to security staffing
    • Privileged access
    • Changes in IT environment
    • Locations and business presence
    • Location of operations and data centers
  • External Threats
    • Volume of attacks
    • Sophistication of attacks

Cybersecurity Maturity Levels

• • Cyber Risk Management and Oversight
    • Governance
    • Risk management
    • Resources
    • Training and culture
  • Threat Intelligence and Collaboration
    • Threat intelligence
    • Monitoring and analyzing
    • Information sharing
  • Cybersecurity Controls
    • Preventative controls
    • Detective controls
    • Corrective controls
  • External Dependency Management
    • Connections
    • Relationship management
  • Cyber Incident Management and Resilience
    • Incident resilience planning and strategy
    • Detection, response, and mitigation
    • Escalation and reporting

The Inherent Risk Profile is conducted without consideration for controls in place to mitigate risk. Instead, its purpose is to determine the financial institution’s risk based solely on technologies and environmental factors without considering controls that have already been established to reduce the level of risk. The Cybersecurity Maturity Level is then determined by factoring in those controls that are in place to mitigate risk and determining the institution’s actual maturity level.

Once completed, management and the Board of Directors should review the current maturity level to determine if they are comfortable with the maturity level based on the inherent risk. If not, they are encouraged to continue the process of improving their security posture by doing the following:

• Determining a target maturity level (where the institution would like to be)
• Performing a gap analysis (determining gaps and requirements to achieve the target level)
• Prioritizing and planning (itemizing what needs to be done in what order to achieve the target level)
• Implementing changes
• Re-evaluating (determining whether the target maturity level was achieved)
• Communicating results to the Board of Directors

At the surface, the above guidance appears to be yet another risk assessment to be performed by financial institutions. While the assessment tools do resemble a risk assessment, the requirement to establish and meet a target risk maturity, or risk appetite, is new. This new standard will require financial institutions to continually monitor and document their cybersecurity maturity level and determine if gaps exist between the current and target level. Thus, as new threats and new technologies are introduced, this tool/assessment would be revisited to determine how those new items are affecting the institution’s cybersecurity maturity model.