FFIEC Releases Cybersecurity Assessment Tool

The FFIEC released the Cybersecurity Assessment tool on June 30, 2015, and regulators are expecting that banks’ board of directors will use this tool to assess their own cybersecurity risks.

The intent is for a bank board to be able to recognize the cyber risks they are taking on and what mitigating controls are in place. Banks engaging in more cyber activities or in higher risk areas are expected to be implementing additional risk mitigation controls.

The Assessment is broken down into two parts that together create a repeatable, measurable approach allowing management to focus on identifying and illustrating the level of cybersecurity risk the bank is engaging in. The first area of focus is the Inherent Risk Profile. This analyzes inherent risks in five separate domains without accounting for any risk-mitigating practices that are currently in place. The second area, Cybersecurity Maturity, analyzes several factors to determine the controls and risk-mitigating practices that are already being practiced at the institution.

One domain the Inherent Risk Profile considers is technologies and connection types. The number of Internet connections a bank maintains is an example of a service that would be analyzed in this domain. The more connections used, the higher the bank or institution’s risk is. The Cybersecurity Maturity assessment identifies what controls the bank has in place to mitigate the associated risks with the numerous Internet service providers.

Using the above example, a single provider that can reduce the number of connections, implement risk-mitigating controls and provide the redundant connectivity a bank needs for business continuity capabilities would reduce overall risk. A single provider would also reduce the amount of vendor due diligence work a bank would have to perform, reducing the compliance burden.

Banks utilizing BankOnIT would receive a reduced inherent risk rating for technologies and connection types in their Inherent Risk Profile by having one vendor, BankOnIT, serve as the connection provider. BankOnIT also addresses the Cybersecurity Maturity assessment with risk-mitigating controls such as firewalls that are installed, properly configured, tested, monitored and managed 24 hours a day. By utilizing the BankOnIT Managed Network’s redundant Internet connectivity, the bank also receives added redundancy and business continuity capabilities.

BankOnIT is reviewing in detail the information released by the FFIEC about the Cybersecurity Assessment Tool to determine what additional documentation banks need. BankOnIT is focused on providing you the information you need to show how your bank’s network is being managed to have reduced risks and appropriate controls to help ensure the security of bank information while providing capabilities the bank needs.

As technology rapidly changes, associated technology risks are increasing resulting in added regulatory emphasis on information security. Bank boards should be prepared to answer questions about information security during their next IT exam.


For more information, please contact us at 800-498-8877 or solutions@bankonitusa.com.