Pub. 3 2015 Issue 2

www.uba.org 6 By Jon Waldman – Partner, Secure Banking Solutions, LLC Secure Banking Solutions, LLC What Do You Need to Know About the FFIEC Cybersecurity Assessment Tool? A s promised in their 2014 Cybersecu- rity Observations publication, the FFIEC has released new guidance in the form of a Cybersecurity Assessment Tool. As one would expect, it has a heavy focus on CEO and Board level involve- ment, as well as tying controls to other FFIEC and NIST resources in order to assemble a set of expectations for finan- cial institutions based on their size and complexity. However, this new assessment tool not only provides financial institutions a method to evaluate the maturity of their Information Security Program to address cyber threats, but it also gives examiners a method to create a risk-based cyber examination process. If you think about the old FFIEC handbooks, which don't really delineate between institutions of different size and complexities...that's exactly what the FFIEC appears to be doing here on the cybersecurity side of the information security world. Interestingly enough, this new tool is also very pre- scriptive in that inherent risk and maturity expectations are outlined in specific detail, which is another (welcome) change from traditional guidance. It’s essentially giving institutions examination procedures that they can use to point to exactly where they are in the realm of cybersecurity, as well as exactly where institutions need to be regarding the implementation of controls. For those who have completed the FDIC IT Officers questionnaire in the past, this tool resembles that process very closely with two significant differences: the FDIC Officer’s Questionnaire has a signature line for accountability but does not have a risk-based scoping process to vary expec- tations on institutions based on size and complexity. Another significant question that needs to be addressed is how this new assessment affects what institutions are currently doing regarding a documented Informa- tion Security Program. Please be sure to understand – this new Cybersecurity As- sessment Tool is not a replacement for any current risk management process; it's an addition to current Information Security Program processes that ensures financial institutions have adequate controls in place to mitigate the risk of cyber-specific threats. This doesn't replace anything from a standard or traditional ISP, including an asset-based IT Risk Assessment. It's a different vantage point that should allow Senior Management and the Board of Directors to better understand the institu- tion’s maturity when it comes to preparing for and mitigating risk around the increas- ing cybersecurity attacks that are affecting networks and organizations on a much more regular basis. So, what are the big takeaways for those that need to understand this new tool at your own financial institutions? First, the assessment tool identifies and creates a baseline of (inherent) cybersecurity risk for the institution. It then compares the current maturity level of the intuition against risk-based expectations and iden- tifies gaps in the cybersecurity controls needed to meet the maturity expectations. If the institution does not meet the iden- tified cybersecurity maturity levels, then the assessment suggests improvements to existing risk management and information security program components. The FDIC has also released this FFIEC Cybersecurity Assessment Tool as FIL-28- 2015 and states that the use of this new tool is "voluntary;" however, we have seen many times in the past that voluntary pro- cesses or items-not-mandated are still used in examination processes. Technically, all of the FFIEC IT Booklets are voluntary resources. It's important that each finan- cial institutions quickly get familiar with this new Cybersecurity Awareness Tool and understand where their institution stands in terms of inherent risk and cyber- security maturity. Once you understand your inherent risk and maturity levels, your next step is to develop a list of next- steps to improve gaps in the cybersecurity maturity model identified by the FFIEC. Examiners will likely not expect full com- pliance with these identified cybersecurity controls tomorrow, but there will certainly be an expectation that institutions start leveraging this resource and making steps toward the identified goals. n SBS is quickly working to automate this manual assessment tool into a freely available resource that financial institutions can use to quickly and easily perform their own Cybersecurity Assessment. If you’re interested in pre-registering for this free web- based application, please visit our website here: https://www.protectmybank.com/register/ For more information about the FFIEC Cyber- security Assessment Tool, you can find links to the resources and a copy of the tool at www. protectmybank.com . SBS will continue to provide additional articles and updates on educational op- portunities on our website, so stay tuned… we aim to keep you up-to-date on everything Cybersecurity Assessment related!