Evaluating the FFIEC Cybersecurity Assessment Tool: A New Take on the Old Framework

Logan Simpson
| 11/3/2015
RISK-16005-015H Blog_4

The Federal Financial Institutions Examination Council (FFIEC) released a tool June 30, 2015, to help banks and other financial institutions of all sizes identify their cyberrisks and assess what the FFIEC calls their cybersecurity preparedness. Although much of the new Cybersecurity Assessment Tool can be mapped directly to the National Institute of Standards and Technology (NIST) 2014 Cybersecurity Framework, the assessment introduces a new dimension, the inherent risk profile, that changes the criteria that set expectations for the cybersecurity controls required in an organization.

The new framework measures cybersecurity preparedness as a relationship between an institution’s inherent risk profile and its control maturity levels. Banks determine their inherent risk after evaluating 39 factors based on the complexity, type, and volume of their service technology and other characteristics. Maturity is evaluated using 30 domain components, five maturity levels for each component, and roughly three declarative statements (controls) per maturity level, for a total of 494 controls. All applicable controls at each level must be met before advancing to the next maturity level for that domain component.

The result is a gap analysis of all the domains comparing the inherent risk profile and maturity levels to understand whether the two measures are aligned. According to the assessment, there is no single expected level for a financial institution. But in general, as inherent risk rises, an institution’s maturity levels should improve. If the institution’s maturity levels are not appropriate in relation to the inherent risk profile, the tool encourages the institution’s management to consider either reducing inherent risk or developing a strategy to improve maturity levels.

What does the new assessment framework mean for financial institutions?

First, the assessment significantly raises the bar for an institution aiming to improve its cybersecurity program. An institution could be completely compliant with the FFIEC IT Examination Handbook and, based on the assessment, reach only the first level of cybersecurity maturity. And institutions offering services through new and varied technology platforms may find significant gaps between their current controls and their risk profile.

Second, the two dimensions of this industry-specific assessment are a step toward more dynamic scoring of cybersecurity preparedness, which is a refreshing improvement over the one-size-fits-all control framework models. Introducing a relative scoreboard enables each factor and control of the inherent risk profiles and maturity levels to be very specific while allowing the assessment to be relevant to most financial institutions.

Finally, the FFIEC’s assessment helps business leaders make better-informed decisions when developing strategic road maps for their institutions. The assessment allows leadership to more accurately evaluate the total cost of ownership involved in an institution’s plans. Understanding how increasing the number and complexity of service channels can introduce inherent risk may encourage more collaboration, as well as better alignment of cybersecurity efforts with business strategy.