FFIEC Issues New Cybersecurity Guidance for Financial Institutions

By Daniel L. Farris

The Federal Financial Institutions Examination Council (FFIEC) has released a new tool intended to assist financial institutions to identify cyber-risks and determine their institutional cyber-readiness.  The FFIEC Cybersecurity Assessment Tool (CAT), released June 30, 2015, “provides institutions with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness.”  Financial institutions – and particularly their Boards and senior management – should take note. 

The CAT, which is more assessment framework than an implementable tool, provides direction that is consistent with the NIST Cybersecurity Framework, as well as industry accepted cybersecurity practices.  Organizations are encouraged to utilize the CAT as part of their existing compliance, risk management, privacy, and data security functions. 

“The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place.”

Identifying the organization’s Inherent Risk Profile includes the assessment of five areas:

  • Technologies and Connection Types

  • Delivery Channels

  • Online/Mobile Products and Technology Services

  • Organizational Characteristics

  • External Threats

    After an Inherent Risk Profile is determined, management should then evaluate the organization’s Cybersecurity Maturity level in five domains:

  • Cyber Risk Management and Oversight

  • Threat Intelligence and Collaboration

  • Cybersecurity Controls

  • External Dependency Management

  • Cyber Incident Management and Resilience

    Based on the outcomes and findings in these areas, companies are encouraged to ensure cybersecurity efforts are sufficiently comprehensive and sophisticated (i.e. mature) to combat the threats identified in the risk analysis.

Notably, in releasing the CAT, the FFIEC is communicating the importance of cybersecurity to financial institution boards and management.  This is a clear signal that regulators will continue to view privacy and data security issues as enterprise-level considerations not to be relegated to a purely Information Technology function.  To that end, the FFIEC includes specific guidance on the roles of the CEO and the Board in its “Overview for Chief Executive Officers and Boards of Directors.”

The role of a CEO may include to:

  • Develop a plan to conduct the Assessment.

  • Lead employee efforts during the Assessment

  • Set the target state of cybersecurity preparedness

  • Review, approve, and support plans to address risk management and control weaknesses

  • Analyze and present results for executive oversight, including key stakeholders and the board

  • Oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk

  • Oversee changes to maintain or increase the desired cybersecurity preparedness

    The Board’s role may include to:

  • Engage management in establishing the institution’s vision, risk appetite, and overall strategic direction

  • Approve plans to use the Assessment

  • Review management’s analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results

  • Review the institution’s cybersecurity preparedness and its alignment with risks

  • Review and approve plans to address any risk management or control weaknesses

  • Review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threats

    While useful guidance, this is yet another set of government-issued principles to be tracked and considered by financial institutions, which now must juggle similar standards set forth by NIST, the Department of Justice, and the Federal Communications Commission, at least. 

    If you or your organization has questions or concerns about the FFIEC’s new cyber guidance or the creation and/or implementation of a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.