• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

FFIEC Issues Optional Cybersecurity Assessment Tool

July 6, 2015 By Kelley Barnaby

On June 30, 2015, the Office of the Comptroller of the Currency (OCC) announced that the Federal Financial Institutions Examination Council (FFIEC) has issued an optional Cybersecurity Assessment Tool (Assessment) for banking institutions (“institution”) to use to evaluate risks and cybersecurity maturity (i.e., level of preparedness).  OCC also announced that it would “gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies.”  This arises out of a 2014 pilot cybersecurity examination work program at more than 500 community financial institutions to evaluate their preparedness to mitigate cyber risks.  The pilot program found that the level of cybersecurity inherent risk varied significantly across financial institutions.  The Assessment provides a “repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness.” FFIEC intends the Assessment to benefit institutions by enhancing management’s oversight of cybersecurity issues and aiding the CEO and Board in overseeing cybersecurity at the institution.  In addition, as the Assessment maps to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, it also provides valuable insight for senior management and the Board into the institution’s maturity vis-à-vis that Framework.

The Assessment intends to measure two things: (1) the institution’s inherent risk profile and (2) the institution’s cybersecurity maturity.   Institutions and examiners will review the results to determine whether the cybersecurity preparedness aligns with the risk profile.

The inherent risk profile assesses the risks that exist before implementing controls.  The assessment includes review of five categories (1) technologies and connections, (2) delivery channels, (3) online/mobile products and technology services, (4) organizational characteristics, and (5) external threats.  It looks at the type, volume, and complexity of each category.  The Assessment defines five risk levels (least, minimal, moderate, significant, and most) that the institution applies to each activity, service, or product in each of the five categories to determine the inherent risk for that unique activity.  To determine the overall inherent risk profile, the institution reviews the number of instances in each risk level for all activities and considers whether any specific category poses additional risk.

The cybersecurity maturity evaluation determines the maturity level in each of five domains: (1) Cyber Risk Management and Oversight, (2) Threat Intelligence and Collaboration, (3) Cybersecurity Controls, (4) External Dependency Management, and (5) Cyber Incident Management and Resilience.  It seeks to determine the extent to which the institution has controls in place for a particular risk and how mature those controls are.  Aspects of maturity include repeatability, consistency, governance, subject to regular improvement, and controls for effective risk management.  Each domain includes “assessment factors and contributing components.”  The Assessment defines five maturity levels (baseline, evolving, intermediate, advanced, and innovative), which are applied to each domain.  Both the domains and maturity levels have declarative statements that management can use to determine which maturity level best fits the current practices of the institution.  The Assessment is only designed to identify the maturity level in each domain, not an overall cybersecurity maturity level across all domains.

FFIEC states that the Assessment should be completed periodically and as significant operational and technical changes occur.  FFIEC expects management to consider changes based on the results, such as reducing the inherent risk or developing strategies to improve cybersecurity maturity, to achieve a baseline maturity consistent with the Assessment.

The Assessment and FFIEC’s additional cybersecurity resources are available here.  FFIEC has provided an overview for CEOs and Boards.  FFIEC has also correlated the Assessment to both the FFIEC Information Technology (IT) Examination Handbook and the NIST Framework.  The website includes mappings for each.

Filed Under: Cybersecurity, Enforcement, Financial Privacy Tagged With: Federal Financial Institutions Examination Council (FFIEC), Office of the Comptroller of the Currency (OCC)

About Kelley Barnaby

Kelley Barnaby is a partner in Alston & Bird’s Litigation & Trial Practice Group, focusing her practice on commercial business litigation, including litigation arising from intellectual property rights, contract claims and unfair competition claims.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.