Banks, holding companies and other financial institutions are calling on the FFIEC to make changes to its Cybersecurity Assessment Tool – which is a set of general threat-readiness suggestions – but is in some cases being treated as requirements. Concerns came flooding into the federal cybersecurity regulator during the second comment period, which ended January 15 over the uncertainty generated by the sometimes inconsistent nature of how the tool is viewed by FFIEC examiners.
The Cybersecurity Assessment Tool, which is meant to be a voluntary set of guidelines for banks and credit unions to assess their fraud resilience and risk management, is being used by some examiners as part of the auditing process, which implies that the tool may in fact be mandatory.
According to a Bank Info Security report, many banking associations have requested that the FFIEC take the following actions:
- Stop examiners from questioning institutions about their use of Cybersecurity Assessment Tool.
- Issue a second version of the tool, after closer collaboration with cybersecurity representatives from the banking industry, which includes recommendations and assessments that meet banking-specific needs.
- Ensure that the tool’s assessment recommendations more closely resemble those outlined in the National Institute of Standards and Technology Cybersecurity Framework.
Bank officials are squirming in their seats about how the tool’s inconsistent application might affect them in the future, and will likely continue to do so until the FFIEC clears up all the confusion. But in the meantime, here are a few things for financial institutions to keep in mind when attempting to bring your threat readiness up to a level that should satisfy an FFIEC examiner:
- Financial institutions should use the tool to identify gaps in their existing cybersecurity strategies, and modify their processes and procedures and build controls around them.
- This is a tool and it should serve as a guide. The FFIEC has made it general and broad enough to fit financial institution of all shapes and sizes.
- It is the financial institution’s job to scope the tool. This means scale it up or down according to their environments, threat metrics and their tolerance for risk.
- With that said, it is imperative that financial institutions do not lose sight of the big picture – leveraging the tool is great, but it should not be all you are doing to prevent cyber fraud.