US Government Banking Council Releases Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC), a formal government interagency body that includes the five major banking regulators, has issued a Cybersecurity Assessment tool for banking institutions to evaluate their risks and cybersecurity readiness.

National banks, federal branches of the Federal Reserve, agencies and federal savings associations of differing statures will  implement a cybersecurity assessment tool, simply called ‘Assessment’, into their cybersecurity examinations.

Announced by The Office of the Comptroller of the Currency (OCC), the ‘Assessment’ enables banks and examiners to determine the inherent risk profile of any bank, along with their state of cybersecurity preparedness. The results of this test will help to determine if the bank’s cybersecurity maturity levels match with its inherent risk profile.

The two parts of the Assessment, an inherent risk profile and the cybersecurity maturity elaborates as follows:

  • Inherent Risk Profile: The first part identifies the risks inherent to a bank given the methodologies, volume and complexities of the bank’s technologies, delivery channels, products and services, organizational characteristics and other external threats. The bank’s risk-mitigating controls are also assessed.
  • Cybersecurity Maturity: The bank’s maturity when it comes to cybersecurity is evaluated in multiple domains, each of which has five sub-levels of maturity including baselines, evolving, intermediate, advanced and innovative. A bank’s cybersecurity maturity inherently depend on its risk profile.

Furthermore, the FFIEC has also made additional resources available for banks and other financial institutions, alongside the cybersecurity assessment tool. They include a user’s guide, an executive overview and an online presentation module explaining the Assessment along with other appendixes.

The tool has already been used by OCC examiners since late 2015 and remains the tool used by examiners to gain a complete understanding of the cybersecurity structure and inherent risks of a financial institution. For the banks themselves, however, the Assessment is an optional tool.

Image credit: Pexels.