FFIEC & Cybersecurity

On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released guidelines and an assessment tool on cybersecurity risk.  Established in 1979 as part of the Financial Institutions Regulatory and Interest Rate Control Act, the FFIEC is an interagency council comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).  The FFIEC’s role is to recommend uniform standards, principles, and forms for federal agency supervision and examination of financial institutions.

The FFIEC has recognized that cyber threats have become increasingly sophisticated and more common.  To address the risk to financial institutions, the FFIEC developed the cybersecurity assessment tool, which evaluates a financial institution’s inherent risk profile and cybersecurity maturity.  The inherent risk profile considers five categories including technologies and connection types, delivery channels, online and mobile products and technology services, organizational characteristics, and external threats.  The tool is used to assess the risk level (from least to most) within specific areas for each category.  Cybersecurity maturity evaluates five areas including cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience—all along various assessment factors.

The FDIC Advisory Committee will discuss the assessment tool during its July 10 meeting, which can be accessed by live webcast on the FDIC website.  The cybersecurity assessment tool itself is available on the FFIEC website.

S.P. Slaughter

Follow me on Twitter: @SP_Slaughter