The Federal Financial Institutions Examination Council (FFIEC) has released its long-awaited Cybersecurity Assessment Tool (Assessment) to help financial institutions identify the inherent risks faced by a company and determine the level of maturity of a company’s cybersecurity preparedness. The tool is the latest resource developed by the FFIEC to raise awareness among financial institutions and their critical third-party service providers regarding cybersecurity risks in light of the ever-growing volume and sophistication of cyber threats.

Although use of the Assessment is optional, the FFIEC believes the tool can “help management and directors of financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions.” The federal Office of the Comptroller of the Currency (OCC) has also announced it will incorporate the Assessment into its examinations of financial institutions subject to its jurisdiction in late 2015.

The Assessment and related materials are noteworthy for a number of reasons. First, the FFIEC materials include cybersecurity guidance addressed specifically to CEOs and Boards of Directors. Second, the Assessment provides a ready-to-use risk assessment framework, including risk areas, relevant control activities, definitions, and ratings scales, which can be easily executed by companies. Third, companies that already have an information security risk assessment framework can review their current methodology against the Assessment as a way of gauging the adequacy of that methodology. Fourth, the Assessment builds on and references all of the existing FFIEC guidance on cybersecurity-related control activities, which makes it easier to understand bank regulators’ expectations. Finally, the FFIEC has mapped the Assessment to the National Institute of Standards and Technology (NIST) Cybersecurity Framework as well as the FFIEC IT Examination Handbook.

The Assessment consists of two parts: (1) Inherent Risk Profile and (2) Cybersecurity Maturity.  Part I identifies risks in the following five categories to determine a financial institution’s Inherent Risk Profile: 

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

The risk levels (ranging from Least Inherent Risk to Most Inherent Risk) provide insight into the type, volume, and complexity of the inherent risks identified in each category.  

Part II of the Assessment determines the financial institution’s Cybersecurity Maturity levels across each of the following five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

The risk levels (ranging from “Baseline” to “Innovative”) provide financial institutions with a measurement of the controls available to manage the inherent risks identified in Part I.

According to the FFIEC, “The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” The FFIEC believes that financial institutions can interpret and analyze the results of the Assessment to guide decisions about reducing inherent risk or developing a strategy to improve maturity levels.  The FFIEC has also identified the following benefits to financial institutions that choose to use the Assessment:

  • Identifying factors contributing to and determining the institutions’ overall cyber risk;
  • Assessing the institution’s cybersecurity preparedness;
  • Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
  • Determining risk management practices and controls that could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness; and
  • Informing risk management strategies. 

Members of Ballard Spahr’s Privacy and Data Security Group can help your company execute the Assessment. Our attorneys have designed and led enterprise-wide information security risk assessments based on FFIEC guidance. We also conduct reviews of information security programs to help clients ensure that they and their third-party service providers are mitigating key risks and meeting regulatory standards. We have extensive experience assisting clients with security and privacy breach investigations and response.

If you have questions about this alert, please contact John L. Culhane, Jr., at (215) 864-8535 or, Daniel JT McKenna at (215) 864-8321 or or the Ballard Spahr attorney with whom you regularly work.

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Consumer Financial Services
Mortgage Banking
Privacy and Data Security