New FFIEC Cybersecurity Assessment Tool: Guidance to Assist Community Banks with Evaluation of Security Controls

The Federal Financial Institution Examination Council (FFIEC) recently released new guidance to assist financial institutions when assessing and mitigating the myriad of cybersecurity risks. The release does not replace the existing FFIEC Information Security Handbook, but establishes a new Cybersecurity Assessment Tool (CAT) designed to help auditors and examiners evaluate the maturity and effectiveness of cybersecurity controls within financial institutions.

Previous to this announcement, financial institutions relied upon various frameworks issued by organizations such as the National Institute of Standards and Technology (NIST), the Information Systems Audit and Control Association (ISACA) and the SANS Institute. By assessing inherent cyber risks and documenting a maturity level, the new FFIEC CAT establishes a standard, consistent methodology for providing insight on current and potential threats to highly sensitive data. 

A detailed, effective cybersecurity assessment is dependent upon executive management’s oversight and support. The FFIEC believes a candid and thorough assessment of cybersecurity posture offers valuable benefits to institutions, including: 

  • Identifying factors contributing to and determining the institution’s overall cyber risk.
  • Assessing the institution’s preparedness for a cybersecurity incident.
  • Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks.
  • Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state.
  • Informing of effective risk management strategies.

Designed as an enterprise-wide initiative, similar to those related to disaster recovery, incident response and security awareness, the new FFIEC cybersecurity assessment will require the involvement of a cross-matrix set of stakeholders, including management, IT, internal audit, compliance and enterprise risk management departments. 

The CAT includes two primary processes: (1) creating the institution’s inherent risk profile, and (2) determining the maturity of the cybersecurity control implementation. Institutions should be familiar with identifying, assessing and documenting inherent risks to the organization. The assessment tool assists institutions in evaluating risk by providing five distinct inherent risk ratings, which are applied to an extensive list of technologies and configurations. 

Following the creation of the risk profile, the institution defines a maturity model. By incorporating a set of maturity criteria for various risk domains, the CAT helps non-IT leadership understand weaknesses and focus on prioritizing solutions. The model outlines five maturity ratings, starting with Baseline, escalating to the most mature level, Innovative, a maturity level that defines an industry leader in developing controls and information sharing. Each level provides for a series of questions, which can be evaluated by a simplified ‘yes’ or ‘no’ response. The CAT is designed to provide institutions with a sophisticated approach to evaluating a highly complex and evolving threat and will require careful analysis and interpretation of the resulting conclusions. 

Introduction of the assessment tool into cybersecurity programs will help financial institutions determine their current cybersecurity posture, identify areas of weakness and prioritize remediation efforts for mitigation of risk. Inherent risks and maturity levels identified as less than satisfactory will need to be evaluated and remediation plans communicated to stakeholders. 

Implementing the tool is straightforward and will help institutions identify cyber risk. However, careful interpretation of results will be needed to identify solutions based on each institution’s environment and level of cyber risk. We anticipate examiners will expect institutions to utilize the tool quickly, given the number of security events that are noted almost daily in the press.

DHG provides cybersecurity advisory and assessment services to assist organizations with evaluating and enhancing information security programs, including: 

  • Cybersecurity Risk Assessments and Program Development
  • Network and Web Application Vulnerability Assessments and Penetration Testing
  • Social Engineering and Physical Site Assessments
  • Security Incident and Data Breach Response Investigations
  • Security and Privacy Compliance Assessments (Payment Card Industry [PCI] and HIPAA / HITECH)
  • Service Organization Controls (SOC 1 and 2) Reporting

Please also see this article as published in the Carolina Banker's Winter 2015 issue.