FFIEC Cybersecurity Assessment 'Tool' Goes Live

WASHINGTON — Federal regulators on Tuesday unveiled a much-anticipated tool meant to help institutions assess their own cybersecurity systems.

The "cybersecurity assessment tool" — released by the Federal Financial Institutions Examination Council — is designed to help financial institutions not only identify their level of risk to a cyber-attack but also to gauge their ability to manage and control their own specific threat levels.

The tool is essentially a user's guide that leads institutions through the self-assessment. It contains two basic parts. The "Inherent Risk Profile" catalogues an institution's technology and connection types, delivery channels, external threats and other facets of its risk characteristics. The second part assesses the institution's cyber risk management, threat intelligence and how it would respond to a cyber-incident, among other capabilities.

"The assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time," the FFIEC says in an overview of the tool.

The release of the cybersecurity assessment is another sign regulators are concerned about the level of readiness at banks. It was unveiled following a pilot program last year in which examiners from the financial regulatory agencies conducted cybersecurity assessments at 500 community financial institutions as part of their regular exams.

The tool incorporates standards from the FFIEC information security examination handbook as well as cybersecurity standards developed by the National Institute of Standards and Technology Cybersecurity Framework. The regulators said they will continue to update the tool as the cyber arena evolves.

For reprint and licensing requests for this article, click here.
Bank technology Community banking Law and regulation Cyber security
MORE FROM AMERICAN BANKER