On June 30, 2015, the FFIEC released its cybersecurity assessment tool designed to assist U.S. financial institutions and regulatory examiners identify inherent cybersecurity risks and determine preparedness level of financial institutions. The cybersecurity assessment tool and other resources can be found here.
Background
The FFIEC, which is composed of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration and the State Liaison Committee, formed the Cybersecurity and Critical Infrastructure Working Group in 2013 to assess cyber risk and increase awareness among U.S. financial institutions. In 2014, the FFIEC ran a pilot examination program where it assessed the preparedness of over 500 financial institutions. The assessment tool is partly the result of that study.
General Observations
The FFIEC notes cyberattacks have become more common. New platforms, such as cloud and social media, and new technologies, such as mobile devices and applications, are creating new cyberattack opportunities. Attacks are evolving as more information becomes readily available online, allowing attackers to tailor attacks based on the online behavior of their targets.
The release of the Cybersecurity Assessment Tool demonstrates that regulators are becoming increasingly concerned not only about the level of readiness of financial institutions, but also about the capability of financial institutions’ senior management and boards to respond to cyberattacks. As concern over cybersecurity grows, additional pressure is being placed on senior management and the board to ensure the institution is implementing appropriate risk management and governance practices to ensure the right information is communicated to the right people at all times.
The assessment tool is structured as a two-part process. The first part consists of an assessment of the institution’s inherent risk profile according to its type, volume and complexity of technology and connection types; delivery channels; online mobile products and services; organizational characteristics and external threats, without consideration for any mitigating controls already in place.
The second part consists of an assessment of the institution’s cybersecurity maturity in five different risk areas or domains: management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; cyber incident management and resilience. Each domain includes assessment factors, components and declarative statements that enable institutions to identify practices, process and controls in place across five maturity levels: baseline, evolving, intermediate, advanced and innovative.
The assessment is not designed to identify an institution’s overall cybersecurity maturity level. Rather, the tool can be used to understand whether the institution’s risk management practices and controls are aligned with its inherent risk profile, or whether more needs to be done to achieve the desired level of preparedness. As the institution’s inherent risk profile rises so should its maturity level. The preparedness level should be evaluated periodically, in particular when the institution plans to introduce new products or services or modify its business operations. As the FFIEC states “The assessment [tool] provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”
In Canada, the Office of the Superintendent of Financial Institutions (“OSFI”) has previously issued in 2013 a very detailed Cyber Security Self-Assessment Guidance. Similarly to the FFIEC assessment tool, the OSFI guidance provides categories for self-assessment in respect of cyber security practices, each of which is divided into different criteria, that cover multiple operational areas of an institutions beyond information technology. Unlike the FFIEC’s assessment tool, the OSFI guidelines are structured as a single-part assessment of six different risk areas, allow institutions to consider mitigating processes and practices already in place, and do not advocate for information sharing among financial institutions. Both tools provide institutions with repeatable steps that can be used to regularly evaluate their existing processes and resources and to determine whether there are any gaps should be addressed to reach the desired level of preparedness in the event of a cyberattack.
© McCarthy Tétrault LLP
Ana Badour is a partner in McCarthy Tétrault’s Financial Services Group in Toronto. Diego Beltran is an associate in McCarthy Tétrault’s Business Law Group in Toronto.