The Federal Financial Institutions Examination Council (FFIEC) Wednesday issued a statement emphasizing the benefits of using a standardized approach to assess and improve cybersecurity preparedness. Adopting this approach allows institutions to better track progress over time and share best practices with other institutions and regulators.

According to the FFIEC, ”institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness.”

These tools include:

• FFIEC Cybersecurity Assessment Tool, which provides a measurable and repeatable process for financial institutions to measure preparedness over time;
• National Institute of Standards and Technology Cybersecurity Framework, a voluntary framework of standards, guidelines and best practices to manage cybersecurity-related risk;
• Financial Services Sector Coordinating Council Cybersecurity Profile, which is a scalable and extensible assessment for internal and external cyber risk management assessment; and
• Center for Internet Security Critical Security Controls, a prioritized set of actions to protect an organization and data from known cyber attack vectors.

While the FFIEC does not endorse any particular tool, these standardized tools support institutions in their self-assessment activities. 

However, the tools are not examination programs and the FFIEC members take a risk-focused approach to examinations. As cyber risk evolves, examiners may address areas not covered by all tools.