Cyber-RISK: FFIEC Cybersecurity Assessment

We define “cyber risk” as “the increased probability that the very-high-impact, internet-based risks and threats we once thought were improbable will harm our networks,” and “cybersecurity” as “the controls and processes in place to protect our networks and customer information from cyber risk.” Cybersecurity is actually a discipline of information security, which not only encompasses cybersecurity, but also all of the traditional things we’ve done to protect our confidential customer information, including IT risk assessment, vendor management, business continuity planning, vulnerability assessment, IT audit, and much more.

Absolutely not! Your cybersecurity assessment is simply a new perspective; a way for your institution (including the board and senior management), your regulators, and your auditors to know and understand how much you have done to protect against cyber risk and the increase in the new internet-based threats and vulnerabilities that are affecting your institution. Performing an IT risk assessment is actually MORE applicable than ever, as a quantitative and measurable IT risk assessment that identifies how you are protecting the information stored, transmitted, and processed on the IT systems and assets your institution use on a regular basis will help you make better decisions on which controls to implement, as well as how to spend your next information security dollar.

Here are the major takeaways that you need to understand regarding the FFIEC Cybersecurity Assessment Tool:

• It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity.
• All financial institutions are expected to complete this assessment.
• This assessment does not replace any existing risk assessments but clarifies the expectations of the extent of risk management practices in your institution.
• The assessment process is not a one-time project or process, but rather an ongoing assessment that the institution will be expected to keep up and utilize on an ongoing basis.
• There are three (3) parts to the assessment: 1) Rating your Inherent Risk for Cybersecurity threats based on your size and complexity; 2) Rating your Cybersecurity Maturity regarding how prepared you are to handle different cybersecurity threats; and 3) Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.

The expectation set forth by the FFIEC is that this Cybersecurity Assessment Tool will be driven (not completed by, but driven) by the CEO or President, and the Board of Directors needs to know what this cybersecurity assessment means, in terms of risk vs. maturity. The most likely candidates to complete or fill out the Cybersecurity Assessment Tool include the following roles: VP of Information Technology, IT Manager, Information Security Officer, or Network Administrator.

Absolutely, they need to be involved. Board involvement, referenced in the Cybersecurity Assessment General Observations, was a major point of the FFIEC Cybersecurity Assessment that was performed in the second half of 2014, and now the Cybersecurity Assessment Tool. The tool specifically mentions Board involvement TWENTY-ONE (21) times in the Cybersecurity Maturity section, just in case you didn’t think the FFIEC is taking Board involvement seriously. Domain 1 - Cyber Risk Management and Oversight talks about Board involvement on an increasing frequency to go with increasing maturity, particularly in the “Oversight” component of the “Governance” factor, mentioning the Board fourteen (14) times alone.

The overall goal is two-fold, from our perspective - 1) to highlight areas of weakness and strength at your institution regarding how you are or will be able to handle a cybersecurity attack, as well as exactly how you can mitigate this risk and implement additional controls, and 2) to give regulators and examiners an idea of how capable your institution is regarding cybersecurity preparedness from the get-go, as well as how seriously your institution is taking the cybersecurity initiative.

The short answer is “Yes.” Both Federal and State Examiners are likely to use the CAT tool. The FDIC FIL stated the completion of this Cybersecurity Assessment as “voluntary,” but they are expecting that if the FFIEC CAT is not used, then an alternative Cybersecurity Assessment will be completed. The OCC and Federal Reserve both state in their release documentation that it will be included in their regulatory exams, basing the scope of examinations on the CAT in most cases. The FDIC has opted to design new examination procedures, called InTREx, which will be released later in 2016. Multiple state banking departments have also issued letters to financial institutions requiring the completion of a Cybersecurity Assessment.