The Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool to help financial institutions establish a better baseline to identify their risks and determine their cybersecurity preparedness. The original intent of the Assessment was to provide a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.
The updates are a response to criticism since its release in June 2015 for its vagueness and diversion from other well-established cybersecurity assessment frameworks, such as the NIST Cybersecurity Framework. While there are similarities between these tools, the FFIEC is trying to provide guidance to its constituency where the NIST framework is general for all organizations.
While these tools and frameworks are seen by most organizations as guidelines to help them better protect their businesses and customers, the FFIEC regulators have been mandating its use by the banks and credit unions under its jurisdiction. This raises questions about complying with other regulations and what frameworks financial institutions should use.
The FFIEC assessment tool includes three main components:
- A risk profile assessment, to help institutions understand how each activity, service and product can impact risk and affect inherent risk
- A cybersecurity maturity assessment, to determine an institution’s cybersecurity maturity level
- An interpretation and analysis assessment, to help institutions understand whether their inherent risks are appropriate, relative to their cybersecurity maturity.
Organizations that must comply with GLBA, SOX, the new NYDFS 23 NYCRR 500 cybersecurity regulation and others may have challenges deciding what is the best approach to meet these regulations. While the NIST Framework has general guidelines to help improve an organization’s cybersecurity posture, regulations like the NYDFS are more prescriptive as they define specific technologies or processes to meet the regulation. This may require additional guidance.
One enhancement to the updated FFIEC Cybersecurity Assessment Tool is a mapping of the NIST framework to the tool. For those already using NIST or the FFIEC tool, this helps establish how they compliment each other and where they differ. It is also helpful for those organizations looking to comply with NYDFS, since many of the same goals are inherent in these tools.
While other regulatory agencies have not explicitly said they will adopt the FFIEC tool, I expect some will rather than creating their own. It would be nice to have a one size fits all, but as the threat landscape changes and regulations change, tools need to evolve to meet the specific requirements of different industries.
The real goal of these rules and frameworks, lest we forget, is to ensure that you can securely operate your business without compromising your or your customer’s security and privacy. It’s all about protecting your confidential information and ensuring that you can continue operating as a business with the trust and confidence you have built with your customers and partners.