FFIEC Introduces Cybersecurity Self-Assessment Tool
The OCC and NCUA soon will incorporate the assessment into examinations.
The Federal Financial Institutions Examination Council (FFIEC) agencies released a cybersecurity assessment tool in June to help credit unions and others identify their risks and assess their cybersecurity preparedness. The FFIEC based the tool on its 2014 pilot assessment of more than 500 financial institutions’ cybersecurity preparedness.
The assessment tool incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry-accepted cybersecurity practices. NIST defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.”
NCUA encourages credit unions to familiarize themselves with the assessment tool, which FFIEC designed to provide a “repeatable and measurable process” for institutions to evaluate their cybersecurity preparedness over time. Credit unions of all sizes may use the tool, as well as their own methodologies, to perform a self-assessment of their risk management strategies.
The FFIEC agencies—the Federal Reserve Board, Federal Deposit Insurance Corp., NCUA, Office of the Comptroller of the Currency (OCC), Consumer Financial Protection Bureau, and State Liaison Committee—will implement the assessment as part of the examination process to benchmark and monitor institutions’ cybersecurity efforts. OCC examiners will incorporate the assessment in late 2015, and NCUA is projected to use the tool in mid-2016.
Completing the assessment
According to the assessment tool’s user guide, credit unions should integrate cybersecurity on an enterprise-wide basis and when introducing new products and services as part of the institution’s governance, information security, business continuity, and third-party risk management processes.
The assessment includes two parts: an “inherent risk profile” and “cybersecurity maturity.”
The inherent risk profile identifies the amount of risk posed to a credit union by the types, volume, and complexity of its activities, products, and services in the following categories (not including mitigating controls):
- Technologies and connections: the number of Internet service provider (ISP) and third-party connections; whether systems are hosted internally or outsourced; the number of unsecured connections; the use of wireless access; volume of network devices; end-of-life systems; extent of cloud services; and use of personal devices.
- Delivery channels: the availability of products and services through online and mobile delivery channels; and the extent of ATM operations.
- Online/mobile products and technology services: debit and credit cards; person-to-person payments; originating automated clearing house (ACH) transactions; wire transfers; remote deposit capture; international remittances; etc.
- Organizational characteristics: mergers; number of direct employees and cybersecurity contractors; changes in security staffing; the number of users with privileged access; changes in IT environment; locations of operations and data centers, etc.
- External threats: the volume and type of cyberattacks that target the institution.
When completing the first part of the assessment, the credit union selects the most appropriate “inherent risk level” for each activity, service, or product within each category.
The FFIEC defines the five risk levels as follows:
- Least inherent risk: There’s very limited use of technology; employs few computers, applications, systems, and no connections; offers limited variety of products and services; maintains small geographic footprint; and carries few employees.
- Minimal inherent risk: Possesses limited technological complexity; offers limited variety of less risky products and services; outsources mission-critical systems; uses established technologies; and maintains a few types of connections to members and third parties with limited complexity.
- Moderate inherent risk: Uses somewhat complex technology in terms of volume and sophistication; may outsource or support internal mission-critical systems and applications; offers a greater variety of products and services through diverse channels.
- Significant inherent risk: Employs complex technology in terms of scope and sophistication; offers high-risk products and services that may include emerging technologies; may host a significant number of applications internally; allows the use of personal devices or a large variety of device types; maintains a substantial number of connections to members and third parties; offers a variety of payment services directly, rather than through a third party, with a significant level of transaction volume.
- Most inherent risk: Employs extremely complex technologies to deliver myriad products and services, some at the highest level of risk, including those offered to other organizations; utilizes new and emerging technologies across multiple delivery channels; may outsource some mission-critical systems or applications but hosts many internally; and maintains a large number of connection types to transfer data with members and third parties.
The credit union determines its overall inherent risk profile based on the number of applicable statements in each risk level for all activities. After making this determination, the credit union transitions to the cybersecurity maturity part of the assessment.
Credit unions evaluate cybersecurity maturity in these “domains”:
- Domain 1: Cyber risk management and oversight;
- Domain 2: Threat intelligence and collaboration;
- Domain 3: Cybersecurity controls;
- Domain 4: External dependency management; and
- Domain 5: Cyber incident management and resilience.
Each domain has the following levels of maturity:
- Baseline maturity, characterized by minimum expectations required by law and regulations or recommended in supervisory guidance. This level includes compliance-driven objectives. Management has reviewed and evaluated guidance.
- Evolving maturity, characterized by additional formality of documented procedures and policies not already required. Management has implemented risk-driven objectives, and has formally assigned and broadened cybersecurity accountability beyond protection of customer information to incorporate information assets and systems.
- Intermediate maturity, characterized by detailed, formal processes, including validated, consistent controls, and the integration of risk management practices and analysis into business strategies.
- Advanced maturity, characterized by cybersecurity practices and analytics integrated across lines of business. Majority of risk management processes are automated and include continuous process improvement. Formally assigned accountability for risk decisions by front-line businesses.
- Innovative maturity, characterized by driving innovation in people, processes, and technology for the institution and the industry to manage cyber risks. This may entail developing new controls, new tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to automated responses.
Assessment factors exist within each of the five domains, contributing components, and declarative statements describing activities that support the assessment factor at the applicable maturity level.
A credit union’s cybersecurity maturity level depends on its inherent risk profile. If the maturity level isn’t appropriate in relation to the inherent risk profile, the credit union may consider either reducing inherent risk or developing a strategy to improve the maturity levels. Using the maturity levels in each domain, credit unions can identify potential actions that can increase the institution’s overall cybersecurity preparedness.
Once completed, credit union staff should communicate assessment results to the CEO and board of directors for review.
VALERIE Y. MOSS is CUNA’s senior director of compliance analysis. Contact CUNA’s compliance department at firstname.lastname@example.org.