Banking and Finance Law Daily FAQ guide for cybersecurity tool will help banks evaluate risk
Tuesday, October 18, 2016

FAQ guide for cybersecurity tool will help banks evaluate risk

By Colleen M. Svelnis, J.D.

The Office of the Comptroller of the Currency plans to gradually incorporate a Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC) into examinations of national banks, federal savings associations, and federal branches and agencies. To that end, the FFIEC and OCChave released Frequently Asked Questions about the assessment tool to assist examiners and banks. The FAQs incorporate questions from bankers on how to use the tool. The Federal Deposit Insurance Corporation also issued a Financial Institution Letter informing banks of the availability of the FAQs.

The assessment tool is intended for banks of all sizes to evaluate their risks and cybersecurity preparedness.According to the FFIEC, it provides a repeatable and measurable process that financial institutions may use to measure their cybersecurity preparedness over time.

The assessment tool incorporates concepts and principles contained in the FFIEC Information Technology Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and well-known industry standards, such as the National Institute of Standards and Technology’s Cybersecurity Framework. Use of the assessment tool is voluntary.

The assessment contains both an inherent risk profile and cybersecurity maturity. The inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, notwithstanding the bank’s risk-mitigating controls. Cybersecurity maturity is evaluated in five domains. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.

Value of tool. The assessment tool can be used by management help with oversight of the bank’s cybersecurity by:

  • identifying factors contributing to and determining the institution’s overall cyber risk;

  • assessing the institution’s cybersecurity preparedness;

  • evaluating whether the institution’s cybersecurity preparedness is aligned with its inherent risks;

  • determining risk management practices and controls that are needed or require enhancement and actions to be taken to achieve the desired state; and

  • informing risk management strategies.

MainStory: TopStory BankingOperations CyberPrivacyFeed IdentityTheft Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More