Great questions this week from bankers on the Cybersecurity Assessment process and how to interpret the results. I wanted to provide some general feedback on how to interpret your Risk/Maturity Relationship. Once you understand your Inherent Risk Level and begin comparing it against the Maturity Level of your controls, you might start wondering when to consider your controls adequate.
UNDERSTAND THE RISK/MATURITY RELATIONSHIP
Let’s assume your inherent risk results indicates “Least,” the FFIEC Risk Maturity Relationship chart suggests your Board of Directors can choose either Baseline or Evolving as an acceptable risk goal for your Bank. If you are currently only meeting baseline requirements within all domains, your Board of Directors may choose to set a risk goal of Evolving in a few or even all of the five domains.
It may be worth noting that formal Board of Director approval of a risk appetite statement is found in the Intermediate control set. Regardless of whether you create a formal document with hard due dates for completion, a progressive approach should be taken to further mitigate risk and enhance cyber maturity at your Bank. If you fail to set a goal or set your goal too low, a future auditor or examiner may recommend a higher goal.
PREPARING FOR A SUCCESSFUL EXAMINATION
Another value of this approach to your regulators is that they can vary the intensity of findings in your exam; so if deficiencies are noted in your Baseline control set, they might give more emphasis on the recommendation (like Matters Requiring Immediate Attention) vs a deficiency in your Evolving control set that could be toned down to a lesser level (Matter Requiring Attention). This is assuming your regulator will site you for any deficiencies, which is still a variable at this time. Also keep in mind, just because controls are outside the blue range on the Risk/Maturity Relationship table, doesn’t mean your examiner will not make any recommendations; it simply suggests they would not have the support of the risk-based approach of the FFIEC Cybersecurity Assessment Tool to support their recommendation. The examination process has historically been subjective and examiners can suggest controls regardless, as some seasoned bankers can relate to.
Written by: Chad Knutson
President - SBS Institute
Senior Information Security Consultant - SBS
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.