The increased volume and sophistication of cybersecurity threats and vulnerabilities have left many financial institution boards of directors and senior management eager to better understand how well their institution’s control environment effectively addresses cybersecurity risks. In response to this and to address the changing operational environments in which financial institutions connect and engage, in 2017 the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool, released in 2014. By using the assessment on an ongoing basis, boards of directors and management hope to enhance their oversight of an institution’s cybersecurity risk management.
The assessment is a framework designed to help financial institution and third-party service provider boards of directors and management determine and monitor their organization’s cybersecurity preparedness and reflect cyber risks at the enterprise level. It gives them the tools to evaluate whether the institution’s inherent cybersecurity risks are addressed by the institution’s level of cybersecurity preparedness. Where misalignment exists, the board of directors or senior management can choose the target state of cybersecurity preparedness that best aligns to its stated or approved risk appetite. Needed or required enhancements to risk management practices and controls then can be analyzed, reviewed and approved to achieve the desired preparedness state and inform key stakeholders of risk management strategies. Financial institutions are encouraged to update and review the risk assessment on an annual basis.
The assessment comprises two interrelated sections: Inherent Risk Profile and Cybersecurity Maturity. Management and the board of directors use both parts of the assessment to identify weaknesses and decide whether and what actions are needed to change the inherent risk profile or achieve the desired state of maturity. It is intended to be used over time, changing as the institution’s inherent risk profile and maturity levels change because of shifting threats and vulnerabilities or changes in the institution’s operational environment. Launching new services or establishing new connections, for example, may warrant re-evaluation of the institution’s risk profile against its cybersecurity preparedness.
The Inherent Risk Profile helps management understand the financial institution’s inherent risk of cybersecurity threats and vulnerabilities. The inherent risk assessment considers internal and external threats and vulnerabilities to the financial institution’s information assets and supporting infrastructure. It incorporates consideration of the institution’s operational complexities, technology use, delivery channels and connection types for each product and service offering potentially vulnerable to a technology-based attack.
Outcomes of the Inherent Risk Profile—ranging in five risk levels from least to most—are used to assess the institution’s cybersecurity preparedness. In general, the inherent risk level of each activity, product and service should correspond to the institution’s cybersecurity preparedness or maturity level in that area.
Institution management determines the institution’s Cybersecurity Maturity—baseline, intermediate, advanced or innovative—by answering declarative statements (assessment factors) in each of these domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
Baseline-level declarative statements in the assessment correspond with the risk management and control expectations outlined in the FFIEC Information Technology (IT) Examination Handbook.
A maturity level is achieved in any one domain by attaining and sustaining the declarative statements contained in that and previous levels. Declarative topics address preventing, detecting and responding to cybersecurity risks and build on the previous level through the maturity level structure. That means that as an institution’s cybersecurity preparedness increases, it will be able to positively respond to a higher level of implementation maturity descriptions.
Although the assessment is standardized, an institution’s cybersecurity assessment should be customized to meet its needs. For example, management is expected to include its existing supplementary or complementary behaviors and unique practices and processes to attain a declarative statement or to otherwise support partial implementation of a declarative statement.
Financial institution and third-party service provider management may use any one or more available risk assessment frameworks or cybersecurity assessment tools to measure its cybersecurity risk management maturity over time.1 Alternatively, or in addition to using the assessment to monitor its own cybersecurity preparedness, a financial institution may choose to use the assessment as part of its program to monitor the cybersecurity preparedness of critical third parties.
For more information, contact your BKD advisor or visit BKD’s Enterprise Risk Solutions webpage.
1 Financial institutions or critical third-party service providers of financial institutions may choose to engage an independent CPA to examine how effective the institution’s program is in identifying, assessing and mitigating cybersecurity risks. In these situations, the financial institution or third-party service provider may choose to issue a System and Organization Controls (SOC) 2® report with additional cybersecurity subject matter or criteria. A report of this type would cover SOC 2® criteria, plus, e.g., the American Institute of CPAs’ (AICPA) Cybersecurity Risk Management examination criteria (SOC 2® + SOC for Cybersecurity examination) or SOC 2® criteria plus, e.g., the National Institute of Standards and Technology (NIST) Cybersecurity Framework (SOC 2® + NIST Cybersecurity Framework examination). Appendix B to the FFIEC’s Assessment includes mapping of the Assessment to the statements in the NIST Cybersecurity Framework.