Swimming in Cybersecurity Alphabet Soup

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C.

Well-intentioned organizations trying to implement cybersecurity best practices can quickly become discouraged by the ocean of rules, guidance, and standards. The National Institute of Science and Technology (“NIST”), the Federal Financial Institutions Examination Council (“FFIEC”), National Association of Insurance Commissioners (“NAIC”), and the New York Department of Financial Services (“NYDFS”), to name a few, all have cybersecurity rules and guidance. While many of the recommendations and requirements among this alphabet soup of agencies overlap each other, implementation can still be daunting.

The NIST framework is comprehensive and detailed. The FFIEC provides a useful assessment tool for financial intuitions, and it maps its recommendations to the NIST framework. The NAIC model law, which this blog recently discussed in relation to the NYDFS guidance, requires organizations to conduct a risk assessment, but leaves it up to the organization to select the tool.

In October 2018, the Financial Services Sector Coordinating Council (“FSSCC”) published a synthesis of these standards into a single assessment tool. The tool is an attempt to bring harmony to what are often similar standards that use slightly different language.

The tool helpfully distinguishes between different tiers of financial institutions. Tier 1 national institutions are critical infrastructure, so it applies to the largest financial institutions in the country. Tier 2 institutions have the ability to cause a substantial national financial issue, but are not large enough to be deemed critical. Tier 3 institutions have a high degree of interconnectedness with certain sectors.  Finally, tier 4 institutions have fewer than 1 million customers. Most community banks will be tier 4 institutions.

Based on the institution’s classification, the analysis tool tailors the results to the institution’s needs. This provides institutions with a useful pre-exam assessment to help identify areas that might be of concern to regulators, as well as identify possible deficiencies in the organization’s cybersecurity preparedness. Even non-financial institutions can benefit from use of the FSSCC tool, because it is mapped to the NIST framework.

With the dizzying array of cybersecurity recommendations and standards available, many organizations fall victim to a “check the box” mentality to satisfy a regulator or meet a standard. However, cybersecurity depends on organizations doing an analysis of their specific risk profile, and tailoring their cybersecurity defenses accordingly. Finding a workable assessment tool that makes sense for a particular organization can go a long way toward helping that organization reduce the risk of a cybersecurity incident. That, after all, is the real goal of cybersecurity planning.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson, Mackaman, Tyler & Hagen, P.C. | Attorney Advertising

Written by:

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.