The question that has been discussed in detail by examiners, bankers, and experts is this – “Is the FFIEC Cybersecurity Assessment Tool required?” I want to highlight a few clear facts that will hopefully help you decide, not necessarily is the tool required, but should I complete it today? Based on the history of regulation, any published guidance is applicable for use in any examination by a regulator or auditor. As we also know, there are many security practices that we must do that are not specifically required in an FDIC FIL, OCC Bulletin, or Fed SR Letter. (Example – Is a firewall required by regulation?)
What is clear in each supplement announcement made by ALL three regulators is that it will be discussed or used in your next examination. It is not a guaranteed that you will get written up for not completing this new cybersecurity assessment, but it will be part of your exam, and examiners will be measuring how well you manage your information security program based on whether or not you have completed the assessment.
The results of your IT examinations are scored under the “M” in the CAMELS rating, which stands for management. The primary goal of the regulator is to ensure you are “M”anaging risk. If you don’t complete a cybersecurity assessment, do you think that will communicate a positive message about “M”anaging risk? This tool is the largest resource published by the FFIEC in many years, and the first ever framework for cybersecurity threats. This alone should be a significant motivator to complete the FFIEC Cybersecurity Assessment Tool, if for no other reason than it is part of “good security.” A cybersecurity assessment will help address the increasing volume and sophistication of cyber threats, as well as give your institution an understanding of how prepared you are to handle potential cyber incidents.
Should you complete this assessment today? Here is the expectations established by your regulator:
FEDERAL RESERVE
“In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles. Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”
View link.
OCC
“The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.”
"While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.
OCC examiners will begin incorporating the Assessment into examinations in late 2015.”
View link.
FDIC
“Use of the Cybersecurity Assessment Tool is voluntary.”
"FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
View link.
Click here to register for a free automated software solution to assist in with the assessment.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.