The FFIEC Cybersecurity Assessment Tool and what it means to your institution

AuditOne Regulatory Advisory

From Bud Genovese, Chairman

In our ongoing efforts to keep you abreast of news in the regulatory environment, we periodically issue AuditOne Regulatory Advisories. Please feel free to forward it to the appropriate people in your bank. Thank you, –Bud

Cyber threats have been evolving and increasing at an exponential rate. We are seeing more frequent and sophisticated attacks than before. Financial institutions rely on technology for critical operations. However, technology service providers and general IT investments can often leave institutions exposed to vulnerabilities that criminals would exploit.

Unfortunately, the regulators do not expect this problem to be resolved because the primary factors that drive these cyber attackers include espionage, money, disruption/destruction, political/social statement, and notoriety. There are also many different types of attackers including nation-states, terrorists, criminal, and insiders. These attackers often have technical expertise, financial sponsors, limited legal reach, and anonymity.

In a response to this complex problem, the FFIEC has created a dedicated page on this issue ( and issued multiple statements and alerts. Many of the FFIEC resources on the page contain recommended controls for institutions to implement, but it is difficult for smaller institutions to determine which controls to implement based on their size and complexity.

On July 2, 2015, the FFIEC issued a new Cybersecurity Assessment Tool for all institutions under $1 billion in total assets. The Tool uses a risk assessment process so that institutions can come up with an overall inherent risk level based on Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Once management determines the Bank’s inherent cybersecurity risks, the Cybersecurity Assessment Tool contains a list of recommended controls based on these risks. These controls are based on the Cybersecurity Framework by NIST (National Institute for Standards and Technology) and FFIEC Information Technology Handbook.

While this assessment is voluntary, regulatory examiners plan to discuss this tool with institutions’ management during examinations starting in the fourth quarter of 2015. To help prepare for this, Insight Risk Consulting (IRC), an affiliate of AuditOne LLC, has been providing assistance to financial institutions in creating their a Cybersecurity Risk Assessment consistent with the FFIEC Cybersecurity Assessment Tool, as well as assessing cybersecurity preparedness and whether the current controls align with the overall cybersecurity risk. We also assist management in determining risk management practices and controls that can mitigate cybersecurity risks. If you are interested in any of these areas, please contact Kevin Watson, Co-CEO or Jeremy Taylor. Both may also be reached on our Team & Contact page.