On June 30, 2015, the Office of the Comptroller of the Currency (OCC) announced that the Federal Financial Institutions Examination Council (FFIEC) has issued an optional Cybersecurity Assessment Tool (Assessment) for banking institutions (“institution”) to use to evaluate risks and cybersecurity maturity (i.e., level of preparedness). OCC also announced that it would “gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies.” This arises out of a 2014 pilot cybersecurity examination work program at more than 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. The pilot program found that the level of cybersecurity inherent risk varied significantly across financial institutions. The Assessment provides a “repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness.” FFIEC intends the Assessment to benefit institutions by enhancing management’s oversight of cybersecurity issues and aiding the CEO and Board in overseeing cybersecurity at the institution. In addition, as the Assessment maps to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, it also provides valuable insight for senior management and the Board into the institution’s maturity vis-à-vis that Framework.
The Assessment intends to measure two things: (1) the institution’s inherent risk profile and (2) the institution’s cybersecurity maturity. Institutions and examiners will review the results to determine whether the cybersecurity preparedness aligns with the risk profile.
The inherent risk profile assesses the risks that exist before implementing controls. The assessment includes review of five categories (1) technologies and connections, (2) delivery channels, (3) online/mobile products and technology services, (4) organizational characteristics, and (5) external threats. It looks at the type, volume, and complexity of each category. The Assessment defines five risk levels (least, minimal, moderate, significant, and most) that the institution applies to each activity, service, or product in each of the five categories to determine the inherent risk for that unique activity. To determine the overall inherent risk profile, the institution reviews the number of instances in each risk level for all activities and considers whether any specific category poses additional risk.
The cybersecurity maturity evaluation determines the maturity level in each of five domains: (1) Cyber Risk Management and Oversight, (2) Threat Intelligence and Collaboration, (3) Cybersecurity Controls, (4) External Dependency Management, and (5) Cyber Incident Management and Resilience. It seeks to determine the extent to which the institution has controls in place for a particular risk and how mature those controls are. Aspects of maturity include repeatability, consistency, governance, subject to regular improvement, and controls for effective risk management. Each domain includes “assessment factors and contributing components.” The Assessment defines five maturity levels (baseline, evolving, intermediate, advanced, and innovative), which are applied to each domain. Both the domains and maturity levels have declarative statements that management can use to determine which maturity level best fits the current practices of the institution. The Assessment is only designed to identify the maturity level in each domain, not an overall cybersecurity maturity level across all domains.
FFIEC states that the Assessment should be completed periodically and as significant operational and technical changes occur. FFIEC expects management to consider changes based on the results, such as reducing the inherent risk or developing strategies to improve cybersecurity maturity, to achieve a baseline maturity consistent with the Assessment.
The Assessment and FFIEC’s additional cybersecurity resources are available here. FFIEC has provided an overview for CEOs and Boards. FFIEC has also correlated the Assessment to both the FFIEC Information Technology (IT) Examination Handbook and the NIST Framework. The website includes mappings for each.