United States

FFIEC develops cybersecurity assessment tool


The Federal Financial Institutions Examination Council (FFIEC) developed a cybersecurity assessment tool designed to help institutions identify their risks and determine their level of cybersecurity preparedness. The assessment consists of two parts: 

The first part requires institutions to determine its inherent risk in five areas, which will then give management the information needed to determine the institution's overall inherent risk profile. The five key areas are:

  • Technologies and connection types which include the number of Internet service provider and third-party connections, where systems are hosted (internally or outsourced), number of unsecured connections, use of wireless access, volume of network devices, end-of-life systems, extent of cloud services and use of personal devices. 
  • Delivery channels increase inherent risk as the variety and number of them increases. This area looks at whether products and services are available via online and mobile delivery channels and the extent to which ATMs are used.
  • Online and mobile products and technology services look at the various payment services offered including debit and credit cards, person-to-person payments, originating ACH, retail wire transfers, wholesale payments, merchants' remote deposit capture, global remittances and correspondent banking. This area also considers whether the institution provides technology services to other organizations.
  • Organizational characteristics consider mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing or IT environment, number of users with privileged access, and the locations of business offices and operations and data centers.
  • External threats focus on the volume and sophistication of the attacks targeting the institution.

The second part of the assessment called cybersecurity maturity, is designed to help management measure the institution's level of risk and its corresponding controls. This part consists of five domains for which the institution determines which of several declarative statements best fit the current practices of the institution. The results will allow the institution to rank its cybersecurity maturity level as either baseline, evolving, intermediate, advanced or innovative. The five domains are:

  • Cyberrisk management and oversight focus on the development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
  • Threat intelligence and collaboration consider processes to effectively discover, analyze and understand cyberthreats, as well as the capability to share information internally and with appropriate third parties.
  • Cybersecurity controls evaluate the practices and processes used to protect assets, infrastructure, and information through continuous, automated protection and monitoring.
  • External dependency management stresses the establishment and maintenance of a comprehensive program to oversee and manage external connections and third-party relationships that have access to the institution's technology assets and information.
  • Cyber incident management and resilience review the establishment, identification and analysis of cyber events; the institution's mitigation; and sharing information with appropriate stakeholders. It includes both planning and testing to maintain and recover ongoing operations during and following a cyber incident.

Upon completion of both parts, the institution should be able to evaluate whether its inherent risk and controls are in alignment. The materials provided by the FFIEC include a variety of related resources including an overview for the CEO and the board of directors that provides an effective summary of the assessment.   

The Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation and the Board of Governors of the Federal Reserve have all indicated that they will begin incorporating this assessment tool into the exam process beginning in late 2015.