As promised in their 2014 Cybersecurity Observations publication, the FFIEC has released new guidance in the form of a Cybersecurity Assessment Tool. As one would expect, it has a heavy focus on CEO and Board level involvement, as well as tying controls to other FFIEC and NIST resources in order to assemble a set of expectations for financial institutions based on their size and complexity.

However, this new assessment tool not only provides financial institutions a method to evaluate the maturity of their Information Security Program to address cyber threats, but it also gives examiners a method to create a risk-based cyber examination process. If you think about the old FFIEC handbooks, which don't really delineate between institutions of different size and complexities... that's exactly what the FFIEC appears to be doing here on the cybersecurity side of the information security world. Interestingly enough, this new tool is also very prescriptive in that inherent risk and maturity expectations are outlined in specific detail, which is another (welcome) change from traditional guidance. It’s essentially giving institutions examination procedures that they can use to point to exactly where they are in the realm of cybersecurity, as well as exactly where institutions need to be regarding the implementation of controls. For those who have completed the FDIC IT Officers questionnaire in the past, this tool resembles that process very closely with two significant differences: the FDIC Officer’s Questionnaire has a signature line for accountability but does not have a risk-based scoping process to vary expectations on institutions based on size and complexity.

Another significant question that needs to be addressed is how this new assessment affects what institutions are currently doing regarding a documented Information Security Program. Please be sure to understand – this new Cybersecurity Assessment Tool is not a replacement for any current risk management process; it's an addition to current Information Security Program processes that ensures financial institutions have adequate controls in place to mitigate the risk of cyber-specific threats. This doesn't replace anything from a standard or traditional ISP, including an asset-based IT Risk Assessment. It's a different vantage point that should allow Senior Management and the Board of Directors to better understand the institution’s maturity when it comes to preparing for and mitigating risk around the increasing cybersecurity attacks that are affecting networks and organizations on a much more regular basis.

So, what are the big takeaways for those that need to understand this new tool at your own financial institutions?

1. The assessment tool identifies and creates a baseline of (inherent) cybersecurity risk for the institution. It then compares the current maturity level of the intuition against risk-based expectations and identifies gaps in the cybersecurity controls needed to meet the maturity expectations. If the institution does not meet the identified cybersecurity maturity levels, then the assessment suggests improvements to existing risk management and information security program components.
2. The FDIC has also released this FFIEC Cybersecurity Assessment Tool as FIL-28-2015 and states that the use of this new tool is "voluntary;" however, we have seen many times in the past that voluntary processes or items-not-mandated are still used in examination processes. Technically, all of the FFIEC IT Booklets are voluntary resources. It's important that each financial institutions quickly get familiar with this new Cybersecurity Awareness Tool and understand where their institution stands in terms of inherent risk and cybersecurity maturity.
3. Once you understand your inherent risk and maturity levels, your next step is to develop a list of next-steps to improve gaps in the cybersecurity maturity model identified by the FFIEC. Examiners will likely not expect full compliance with these identified cybersecurity controls tomorrow, but there will certainly be an expectation that institutions start leveraging this resource and making steps toward the identified goals.

Additional Information and Resources

• We have automated this manual assessment tool into a freely available resource that financial institutions can use to quickly and easily perform their own Cybersecurity Assessment. Click here if you’re interested in more information or registering for this free web-based application.

Written by: Jon Waldman, CISA, CRISC
Partner - Secure Banking Solutions
Vice President of Business Development - SBS Institute