Wednesday, July 15, 2015

Fed to root out cyber threats with cybersecurity assessment tool

By J. Preston Carter, J.D., LL.M.

Beginning in late 2015 or early 2016, the Federal Reserve Board plans to start using a Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council to help banks manage cybersecurity risk. In response to the ever-increasing volume and sophistication of cyber threats, the FFIEC created the tool to help institutions identify their risks and determine their cybersecurity preparedness.

The assessment tool incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook, regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework. The Fed announced in recent supervisory guidance (SR 15-9) that it will use the assessment tool as part of the examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.

Benefits to the institution. The FFIEC stated that institutions using the assessment tool will be able to enhance their oversight and management of their cybersecurity by:
  • identifying factors contributing to and determining the institution’s overall cyber risk;
  • assessing the institution’s cybersecurity preparedness;
  • evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
  • determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state; and
  • informing risk management strategies.


Risk and maturity. The assessment tool consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Cybersecurity maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness. Upon completion of both parts, an institution’s management can evaluate whether the institution’s inherent risk and preparedness are aligned.

The FFIEC stated that, going forward, it will update the assessment tool and the IT Examination Handbook based on the changing cybersecurity threat landscape.

For more information on how banks can manage cybersecurity risk, subscribe to the Banking and Finance Law Daily.