The Federal Financial Institutions Examination Council (FFIEC) has released its long-awaited Cybersecurity Assessment Tool (Assessment) to help financial institutions identify the inherent risks faced by a company and determine the level of maturity of a company’s cybersecurity preparedness. The tool is the latest resource developed by the FFIEC to raise awareness among financial institutions and their critical third-party service providers regarding cybersecurity risks in light of the ever-growing volume and sophistication of cyber threats.

Although use of the Assessment is optional, the FFIEC believes the tool can “help management and directors of financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions.” The federal Office of the Comptroller of the Currency (OCC) has also announced it will incorporate the Assessment into its examinations of financial institutions subject to its jurisdiction in late 2015.

The Assessment and related materials are noteworthy for a number of reasons. First, the FFIEC materials include cybersecurity guidance addressed specifically to CEOs and Boards of Directors. Second, the Assessment provides a ready-to-use risk assessment framework, including risk areas, relevant control activities, definitions, and ratings scales, which can be easily executed by companies. Third, companies that already have an information security risk assessment framework can review their current methodology against the Assessment as a way of gauging the adequacy of that methodology. Fourth, the Assessment builds on and references all of the existing FFIEC guidance on cybersecurity-related control activities, which makes it easier to understand bank regulators’ expectations. Finally, the FFIEC has mapped the Assessment to the National Institute of Standards and Technology (NIST) Cybersecurity Framework as well as the FFIEC IT Examination Handbook.

The Assessment consists of two parts: (1) Inherent Risk Profile and (2) Cybersecurity Maturity. Part I identifies risks in the following five categories to determine a financial institution’s Inherent Risk Profile:

• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats

The risk levels (ranging from Least Inherent Risk to Most Inherent Risk) provide insight into the type, volume, and complexity of the inherent risks identified in each category.

Part II of the Assessment determines the financial institution’s Cybersecurity Maturity levels across each of the following five domains:

• Cyber Risk Management and Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience

The risk levels (ranging from “Baseline” to “Innovative”) provide financial institutions with a measurement of the controls available to manage the inherent risks identified in Part I.

According to the FFIEC, “The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” The FFIEC believes that financial institutions can interpret and analyze the results of the Assessment to guide decisions about reducing inherent risk or developing a strategy to improve maturity levels. The FFIEC has also identified the following benefits to financial institutions that choose to use the Assessment:

• Identifying factors contributing to and determining the institutions’ overall cyber risk;
• Assessing the institution’s cybersecurity preparedness;
• Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
• Determining risk management practices and controls that could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness; and
• Informing risk management strategies.