FFIEC Cybersecurity Assessment ToolBrian Toevs
For those financial services organizations that fall under the watchful eye of the Office of the Comptroller of Currency (OCC), you’re probably at least passingly familiar with the Federal Financial Institutions Examination Council (FFIEC). The FFIEC developed a self-assessment tool to help institutions identify their vulnerabilities and determine their current state of cyber risk. The FFIEC recognized that financial institution Boards of Directors didn’t have a clear, understandable, and consistent vehicle for communicating the state of cyber-preparedness of the computer systems they were overseeing. Since few Boards of Directors has cyber-experts as members, the technology and jargon of penetration testing, firewalls, intrusion detection systems, and so forth were not providing these Board members with the information they needed to promote well-informed decision making. The FFIEC responded by developing the Cybersecurity Assessment Tool (CAT) to fill the gap in Board communications. Currently, this remains a ‘voluntary’ exercise for member institutions. Particularly for the medium and larger institutions (above $500M in assets). However, this is likely to change soon as the content and form are easier for non-technology managers to understand. In other words, the format is working.
The CAT consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The OCC has been emphasizing how cybersecurity teams are assessing and addressing cyber risk in their institutions. The CAT begin with helping the cyber teams develop an inherent risk profile (absent mitigating controls at this point) by categorizing risk to the institutions technology and communications; delivery channels; mobile products (includes online); organizational characteristics; and external threats into risk levels from low to high. Once the risk is defined, an analysis of the mitigating controls is applied to determine residual risk and the maturity of the institutions control mechanisms. The Maturity Model that is created from your responses provides the Board of Directors at your institution with a clearer picture of how well the institution is addressing cyber risk management and oversight; threat intelligence; collaboration, controls; and incident response. This gives the Board better insight where to focus their attention regarding cyber issues.
The purpose of this self-assessment is not for the OCC or the FFIEC examiners to audit your cyber preparedness. It is designed for the institution to document ongoing process improvement and how effective controls are meeting the need for cyber preparedness and risk recognition / mitigation. If you haven’t completed one yet, it would be well worth your time to go out to https://ffiec.gov/cybersecuritytool.thm and try it out. Even if you’re not ‘required’ to complete one yet, it is an excellent way for those responsible for cybersecurity in your institution to provide the Board of Directors with a tool they can actually use to assess how well you’re doing in protecting the institution’s cyber assets.
Brian Toevs, PhD, MBA
Sector Chief – Financial Services
InfraGard Indiana Members Alliance
Work: (812) 238-2165
iPhone: (540) 815-3465