In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity maturity. The methodology provides a repeatable process to measure your cybersecurity preparedness over time.
The benefit of the FFIEC Cybersecurity Assessment Tool is that you’ll be able to measure your institution over and over again against the same benchmarks. Plus because financial institutions across the country are expected to use this same methodology, regulators will be able to measure you against others as well.
FFIEC Cybersecurity Asssessment vs. NIST Cybersecurity Assessment
The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
You may remember that in 2014, FFIEC stated that they wanted financial institutions to adopt the NIST Cybersecurity Framework. However, because of the advanced and increasing trend of cyber threats to the financial system, ultimately, they determined it was not comprehensive enough for financial institutions. NIST was designed for all public and private institutions, and since financial institutions have been examined for years, they are light years ahead of the other sectors that NIST was designed for. Therefore FFIEC decided to expand on the existing NIST Framework with the development their Assessment.
The FFIEC Assessment is much more comprehensive and is very specific to financial institutions. The NIST Framework only looks at 98 controls, while the FFIEC Assessment looks at 494 different controls, or what they call declarative statements.
How it Works - Controls & Domains
The assessment tool has two components.
The first is the Inherent Risk Profile, which identifies the targeted maturity level for your institution. It includes descriptions of activities across risk categories with definitions for the “Least” to “Most” levels of Inherent Risk. The outcome defines the exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution. The categories include technologies and connection types, delivery channels, online/mobile products and technology services, organization characteristics, and external threats.
The second part is the Cybersecurity Maturity Profile. This is a series of declarative statements (494 of them) that measure your institution. Maturity levels begin with “Baseline” and progress through “Evolving,” “Intermediate,” “Advanced,” and tops out at “Innovative”. As the statements progress between levels the difficulty and complexity increase. For most institutions it is not expected that you can or should answer yes to every statement in the spectrum.
Cybersecurity Maturity includes statements to determine whether your institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:
- Cyber Risk Management and Oversight;
- Threat Intelligence and Collaboration;
- Cybersecurity Controls;
- External Dependency Management; and
- Cyber Incident Management and Resilience.
Within each of the five domains there are contributing components, or sub-categories. Then under each contributing component, there are declarative statements that describe an activity supporting the assessment factor at each maturity level. Your goal is to answer yes or no to each statement, then calculate your score to determine your current maturity level.
There is no weighting in the scoring. You must answer “Yes” on each statement in a level to achieve that level in the Domain. A “No” in a single statement for a level means a “No” at that level for the domain.
For example; missing one Baseline statement in the Cybersecurity Controls Domain means you are not compliant regardless of how many other statements of varying difficulty you answered “Yes” to in Cybersecurity Controls Domain. The result provides a scoring of “Below Regulatory Expectations” for the whole domain.
The End Result – What Does it All Mean?
The final products of the FFIEC Assessment tool are:
- Your Inherent Risk Value somewhere between Least to Most.
- Cybersecurity Maturity Score (based on the 494 yes or no answers) somewhere between “Below Regulatory Expectations” and “Innovative” for each domain.
- The matrix position for your institution mapping the risk to the expected maturity level.
At the end of this process, you should be able to determine whether your institution’s cybersecurity preparedness is aligned with your risk profile. If not, you will need to develop a clear road map to get to at least the minimal level you need to be.
Spoiler alert! Many of the “Baseline Maturity” statements correlate directly to the existing FFIEC Handbooks, so there is an implied expectation that all entities will achieve at least this level of maturity.
While the Assessment is a voluntary method, it is highly recommended that financial institutions utilize it to prepare for upcoming examinations. Plus it’s a great tool that allows you to get a true picture of how you are doing from a cybersecurity standpoint, and delivers a repeatable process to gauge your progress from year to year. Most importantly it helps you set target goals and then have a way to achieve those goals.
What the Assessment does not provide is context for those yes and no answers, or a roadmap for what your institution will need to work on and why. Sage Data Security has developed an assessment process in alignment with the FFIEC tool that provides the missing context and an operable roadmap for achieving your required Maturity level. Our collaborative approach ensures that the assessment process is effective, educational, and delivers actionable outcomes. The service is available as part of our Executive Cybersecurity Readiness Program or as a standalone engagement.