By J. Preston Carter, J.D., LL.M.
Beginning in late 2015 or early 2016, the Federal Reserve
Board plans to start using a Cybersecurity Assessment
Tool developed by the Federal Financial Institutions Examination Council to
help banks manage cybersecurity risk. In response to the ever-increasing volume
and sophistication of cyber threats, the FFIEC created the tool to help
institutions identify their risks and determine their cybersecurity
preparedness.
The assessment tool incorporates cybersecurity-related
principles from the FFIEC Information Technology (IT) Examination Handbook,
regulatory guidance, and concepts from other industry standards, including the
National Institute of Standards and Technology Cybersecurity Framework. The Fed
announced in recent supervisory guidance (SR 15-9)
that it will use the assessment tool as part of the examination process when
evaluating financial institutions’ cybersecurity preparedness in information
technology and safety and soundness examinations and inspections.
Benefits to the
institution. The FFIEC stated that institutions using the assessment tool will
be able to enhance their oversight and management of their cybersecurity by:
- identifying factors contributing to and determining the institution’s overall cyber risk;
- assessing the institution’s cybersecurity preparedness;
- evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
- determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state; and
- informing risk management strategies.
Risk and maturity. The assessment tool consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Cybersecurity maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness. Upon completion of both parts, an institution’s management can evaluate whether the institution’s inherent risk and preparedness are aligned.
The FFIEC stated that, going forward, it will update the assessment tool and the IT Examination Handbook based on the changing cybersecurity threat landscape.
For more information on how banks can manage cybersecurity risk, subscribe to the Banking and Finance Law Daily.
