You are here

Written by: Rita L. Lucivero, CISA
With the threat landscape ever-changing, cybersecurity has been a hot topic of the Federal Financial Institutions Examination Council (FFIEC) as of late. Last year, the FFIEC created a pilot program in which over 500 community financial institutions were subject to cybersecurity assessments as part of their regular exams. Following this initiative, the FFIEC released a Cybersecurity Assessment Tool at the end of June 2015 to help financial institutions determine their cyber risks and assess their cybersecurity preparedness. 

While the tool itself is really more of a model than an actual tool per say, it will prove useful to financial institutions of all sizes for performing their own cybersecurity self-assessment and improving upon their risk management strategies. To this point, the tool should be used to enhance your institution’s cybersecurity program and risk management processes, not replace them. 

There are two main parts of the tool: 

Part One: Inherent Risk Profile
As in any risk assessment, the first step is identifying your organization’s inherent risk. This will help your institution measure its potential vulnerabilities to cyberattacks. This profile is based on five categories:

  1. Technologies and Connection Types 
  2. Delivery Channels 
  3. Online/Mobile Products and Technology Services 
  4. Organizational Characteristics 
  5. External Threats 

Using these five categories, you’ll be able to assess your organization’s activities, products, and services based on a scale that ranges from Least Inherent Risk, Minimal Inherent Risk, Moderate Inherent Risk, Significant Inherent Risk and Most Inherent Risk. By rating each activity, product or service within the above mentioned categories, management can then determine the overall Inherent Risk Profile. 

Part Two: Cybersecurity Maturity 
Once your Inherent Risk Profile has been determined, you need to determine the overall effectiveness of your institution’s cybersecurity methods and practices. The Cybersecurity Maturity assessment allows institutions to do this by determining the maturity level for each of the five domains:

  1. Cyber Risk Management and Oversight 
  2. Threat Intelligence and Collaboration
  3.  Cybersecurity Controls 
  4. External Dependency Management 
  5. Cyber Incident Management and Resilience 

Maturity levels start with the Baseline level (the minimum expectations required by law or recommended in supervisory guidance) and end with Innovative level (driving innovation in people, processes, and technology for your institution and the industry to manage cyber risks). Each domain is comprised of assessment factors and contributing components. Each component is made up of declarative statements. Your job will be to determine which declarative statements best describe the current practices of your organization under each Assessment Factor for each Domain. 

To reach a higher maturity level, you need to have hit all previous declarative statements in the previous maturity level for that assessment factor as well as all declarative statements within that level. If a statement is not applicable to your organization, this will not prevent you from reaching a higher maturity level. 

Once your Inherent Risk Profile and Cybersecurity Maturity piece are completed, you can compare your Risk Profile to your Maturity results to determine where your institution stands. Once you make this comparison, you can determine if you need to reduce the level of risk or increase the levels of maturity. This program is meant to evolve over time and like any assessment, you’ll want to update it periodically as threats, vulnerabilities and your operational environment change.

View the Press Release Here
Obtain the Tool Here
View the Cybersecurity Assessment User’s Guide Here

If you have any questions or if you would like a review of your cybersecurity preparedness, please contact Rita L. Lucivero, CISA, IT Assurance Senior Consultant, at 617-261-8185 or