Last month, the Federal Financial Institutions Examination Council responded to institutions' requests for clarification about how, and to what extent, the Cybersecurity Assessment Tool should be used when preparing for regulatory IT examinations (see Banks to FFIEC: Cyber Tool is Flawed).
As part of that "frequently asked questions" guide, the FFIEC addressed a number of concerns, the most pressing of which relates to banks' and credit unions' ongoing confusion about whether use of the tool is mandatory.
If the FFIEC is leaving it up to individual regulatory agencies to decide how they will use the tool or talk about the tool's findings during assessments, then use of the tool is not truly voluntary.
Once again, the FFIEC stressed that use of the tool is voluntary: "The FFIEC released the Assessment as a voluntary tool that institution management may use to determine the institution's inherent risk and cybersecurity preparedness."
Nevertheless, some FFIEC critics tell me that regulators are still questioning institutions about their use of the tool during IT examinations.
"The CAT is not necessarily 'voluntary,'" says former bank CISO David Shroyer, who now works as managing director of information and cybersecurity for Queen Associates, an IT consultancy and staffing agency. "It will be reviewed in every exam."
So, if examiners keep asking to review internal risk assessments based on the tool, then the tool's use is not voluntary.
The FFIEC needs to clarify how much discretion individual examiners have when it comes to relying on the tool to determine risk preparedness during exams.
"[The FAQ] should clarify the fact that examiners should not be asking to review these assessments as if they were mandatory," contends financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "It's the examinations that are the main problem, not the tool, in my opinion."
The FAQ fails to clarify whether institutions will be asked to review during their exams self-assessments conducted with the tool: "To obtain additional information about a particular FFIEC member's use of the Assessment, financial institution management should contact its institution's regulator directly," the FAQ notes.
Regulators Admit Ambiguity Exists
Soon after the FAQ was published, I spoke with Tim Segerson and Wayne Trout of the National Credit Union Administration's Office of Examination and Insurance (see FFIEC Sheds Light on Use of Cybersecurity Assessment Tool). The NCUA is one of the five regulatory agencies that makes up the FFIEC.
Segerson and Trout agreed the FAQ doesn't answer every question, and they indicated that the tool is likely to eventually be updated and/or revamped to better address emerging cyber risks. But they acknowledged that although the use of the tool is voluntary, its use is still likely to come up during IT examinations.
"On the examination process right now, for institutions that have ... actually gone through and completed the assessment tool, examiners are engaging in conversation with those institutions' managers and determining what the institution rated themselves in the inherent risk profile, as well as [how] the institution rates themselves in the maturity portion of the tool," Trout noted in our October interview.
Segerson and Trout pointed out, however, that they could not be certain about how other agencies' examiners are discussing the assessment tool during exams.
I reached to the four other FFIEC agencies - the Office of the Comptroller of the Currency, the Federal Reserve, the Federal Deposit Insurance Corp. and the Consumer Financial Protection Bureau - for clarification about how their examiners plan to use the tool or inquire about its use during exams. None immediately replied to my request for comment.
Avoid 'One-Size-Fits-All' Approach
Al Pascual, who oversees fraud and security at Javelin Strategy & Research, says the FFIEC really can't be too prescriptive when it comes to how each agency expects institutions to use the tool. "The FFIEC would be doing the industry a disservice if it tried to prescribe a one-size-fits-all approach to security," he says.
Still, it's not fair to banks and credit unions for regulators to say the tool's use is voluntary and then raise questions about how it's being used during examinations.
With so much ambiguity about how individual agency examiners could use the tool during exams, it's no wonder banks are confused.
What's more, if the FFIEC is leaving it up to individual regulatory agencies to decide how they will use the tool or talk about the tool's findings during assessments, then use of the tool is not truly voluntary.
"The FFIEC should have been more explicit about the fact that the regulators should not be implicitly enforcing use of the tool," Litan tells me. "Instead, they are telling the members to contact their regulator directly. It's the FFIEC's job to spread the word about the misaligned examinations - i.e., that they should not be treating these assessments as if they were required."