FFIEC Cybersecurity Assessment Tool

Patrick Morin, Risk & Business Advisory Principal
September 2015

The Federal Financial Institutions Examination Council (FFIEC) has recently developed a cybersecurity assessment tool in response to the increasing volume and sophistication of cyber threats targeted at financial institutions, which it published this past June. During our recent attendance at the AICPA’s National Advanced Accounting and Auditing Technical Symposium, we were provided a stark reminder that the volume, frequency and size of cyberattacks continues to rise year over year and of the importance of risk management in protecting companies and their customers. Additionally, the symposium highlighted the lack of security awareness within organizations; it has been estimated that over 80% of employees are unable to detect even the most common and frequent attacks, such as phishing scams. Further, many organizations need guidance on how to take action to mitigate the risks posed by the rise of cybercrime. The FFIEC’s assessment tool is designed to help institutions do this by providing management a framework to gauge their organization’s preparedness for mitigating cyber risks and providing recommendations to leadership.

The assessment tool is separated into two parts: measuring your organization’s level of inherent risk, and determining your organization’s cybersecurity maturity level. The measurement of inherent risk is designed to inform management as to their level of risk exposure (likelihood of an attack) and incorporates the type, volume, and complexity of the institution’s operations and corresponding threats; it is measured along a five-unit scale from “Least Inherent Risk” to “Most Inherent Risk” across five potential risk categories:

  1. Technologies and Connection Types
  2. Delivery Channels
  3. Online/Mobile Products and Technology Services
  4. Organizational Characteristics
  5. External Threats

The cybersecurity maturity level is a measure of the institution’s preparedness for a cybercrime event based on an assessment of controls to prevent, detect, and respond to attacks. Cybersecurity maturity is also measured along a five-unit spectrum, the least mature being “Baseline” and the most mature being “Innovative.” An organization measures its cybersecurity maturity level across five domains:

  1. Cyber Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. External Dependency Management
  5. Incident Management and Resilience

The assessment should be completed by senior management, drawing upon the expertise of organizational staff as needed. In order to be effective, the assessment should be completed periodically to ensure it is updated as the organization changes. An organization’s inherent risk profile and corresponding maturity levels will change over time as threats, vulnerabilities, and operations change. Examples of times when it is beneficial to revisit the assessment include before a new product, service or initiative is launched; doing so will help management understand how these changes will affect the organization’s inherent risk profile.

Once an institution has determined its inherent risk and corresponding cybersecurity maturity level across all five domains, management must determine their organization’s risk appetite and adopt an optimal level of mitigating controls for their organization; the more inherent risk an organization faces, the more robust its risk mitigation strategy should be. The FFIEC provides a matrix demonstrating the relationship between the level of inherent risk associated with an operational environment and the maturity level of security controls to achieve risk mitigation. Recognizing gaps between risk and maturity level can inform actions to increase an institution’s cybersecurity awareness and preparedness. Note that the FFIEC does not identify a correct level of cybersecurity for every organization; this may be an area where a trusted, independent advisor can be utilized to help identify an organization’s risk appetite.

The FFIEC Cyber Security Assessment tool is not designed to provide a comprehensive measurement of all risks facing your institution, as cyberattacks are only one avenue of risk. The cybersecurity assessment, along with a thorough fraud risk assessment, should be incorporated into your existing Enterprise Risk Management (ERM) program to ensure it is integrated throughout your organization’s governance processes, information security, business continuity, and third-party management. For more information on how the FFIEC Cybersecurity Assessment tool can contribute to your organization’s preparedness against cybercrime or to inquire how BNN’s services can assist you in determining your risk profile, cybersecurity maturity level, and opportunities for improvement, please contact Pat Morin, principal, at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.