The Federal Financial Institutions Examination Council (FFIEC) agencies released a cybersecurity assessment tool in June to help credit unions and others identify their risks and assess their cybersecurity preparedness. The FFIEC based the tool on its 2014 pilot assessment of more than 500 financial institutions’ cybersecurity preparedness.
The assessment tool incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry-accepted cybersecurity practices. NIST defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.”
NCUA encourages credit unions to familiarize themselves with the assessment tool, which FFIEC designed to provide a “repeatable and measurable process” for institutions to evaluate their cybersecurity preparedness over time. Credit unions of all sizes may use the tool, as well as their own methodologies, to perform a self-assessment of their risk management strategies.
The FFIEC agencies—the Federal Reserve Board, Federal Deposit Insurance Corp., NCUA, Office of the Comptroller of the Currency (OCC), Consumer Financial Protection Bureau, and State Liaison Committee—will implement the assessment as part of the examination process to benchmark and monitor institutions’ cybersecurity efforts. OCC examiners will incorporate the assessment in late 2015, and NCUA is projected to use the tool in mid-2016.
Completing the assessment
According to the assessment tool’s user guide, credit unions should integrate cybersecurity on an enterprise-wide basis and when introducing new products and services as part of the institution’s governance, information security, business continuity, and third-party risk management processes.
The assessment includes two parts: an “inherent risk profile” and “cybersecurity maturity.”
The inherent risk profile identifies the amount of risk posed to a credit union by the types, volume, and complexity of its activities, products, and services in the following categories (not including mitigating controls):
When completing the first part of the assessment, the credit union selects the most appropriate “inherent risk level” for each activity, service, or product within each category.
The FFIEC defines the five risk levels as follows:
The credit union determines its overall inherent risk profile based on the number of applicable statements in each risk level for all activities. After making this determination, the credit union transitions to the cybersecurity maturity part of the assessment.
Credit unions evaluate cybersecurity maturity in these “domains”:
Each domain has the following levels of maturity:
Assessment factors exist within each of the five domains, contributing components, and declarative statements describing activities that support the assessment factor at the applicable maturity level.
A credit union’s cybersecurity maturity level depends on its inherent risk profile. If the maturity level isn’t appropriate in relation to the inherent risk profile, the credit union may consider either reducing inherent risk or developing a strategy to improve the maturity levels. Using the maturity levels in each domain, credit unions can identify potential actions that can increase the institution’s overall cybersecurity preparedness.
Once completed, credit union staff should communicate assessment results to the CEO and board of directors for review.
VALERIE Y. MOSS is CUNA’s senior director of compliance analysis. Contact CUNA’s compliance department at email@example.com.