Banks to FFIEC: Cyber Tool is FlawedTool's Role in IT Examinations Raises Serious Concerns
Banking institutions and associations that have demanded the Federal Financial Institutions Examination Council make significant changes to the Cybersecurity Assessment Tool are now anxiously waiting for the council to take action.
See Also: A CISO’s Guide to Defender Alignment
Among the most pressing concerns expressed during the second comment period on the tool, which concluded Jan. 15, is that banking examiners are using what institutions perceive as a subpar tool to assess cybersecurity resilience and risk management. This wasn't anticipated, because the FFIEC had described use of the tool as "voluntary," says Mike Wyffels, chief information officer of QCR Holdings, a $2 billion company that owns four banking institutions.
And in a comment provided to the FFIEC by First National Bank, a community bank based in Ord, Neb., Clark Hervent, the bank's cybersecurity officer, explains the additional pressures use of the tool has put on him and his staff.
"I would estimate that I have spent 200-300 hours entering responses into the tool, and gathering data and input from other staff and sources, while squeezing these activities into a very busy schedule over the past six months," Hervent says. "The tool is a very large, time-consuming task for a bank our size. I fear that our examiners will ask for the completed tool at the next exam, and if we have not completed one, they will request that we generate the same amount and type of data that the tool requires anyway."
Banking institutions and associations, in their extensive comments, have asked the FFIEC to:
- Stop examiners from questioning institutions about their use of Cybersecurity Assessment Tool;
- Issue a second version of the tool, after closer collaboration with cybersecurity representatives from the banking industry, that includes recommendations and assessments that meet banking-specific needs; and
- Ensure that the tool's assessment recommendations more closely resemble those outlined in the National Institute of Standards and Technology Cybersecurity Framework.
Is Tool Really Voluntary?
The Office of the Comptroller of the Currency, which is the lead agency for the FFIEC, declined to comment about when, if ever, changes or clarifications might be announced. But OCC spokeswoman Stephanie Collins tells Information Security Media Group that the tool's use is, indeed, voluntary.
Nevertheless, the Financial Services Sector Coordinating Council says banking institutions want to see more definitive clarification of the voluntary nature of the tool, since three states have issued notifications to state-chartered banks about implicit or explicit expectations that the tool be used as part of their cybersecurity risk assessments.
"The agencies have indicated that the use of the assessment is voluntary for banks in Federal Register notices and various meetings," says Jeremy Dalpiaz, assistant vice president of cybersecurity and data security policy for the Independent Community Bankers of America. "At the same time, however, the assessment is being used by examiners as part of the examinations process."
Amy McHugh, an attorney and former IT examination analyst with the Federal Deposit Insurance Corp., who now works as a banking consultant for CliftonLarsonAllen, says banking institutions have been telling her the same thing.
"My FI [financial institution] clients that have had a federal regulatory exam since the tool was released say that the regulators are asking if they have completed it, and, if they haven't, saying that they need to complete it as soon as possible," she says. "So, it sounds like it is technically voluntary, but not in reality. I also have heard from my FI clients that the regulators are asking them to complete it, but have limited understanding of why the FIs should be doing it or what the results for the FI's inherent risk rating and cybersecurity maturity level actually mean to the FI's operations."
And KeyBank National Association, a $93 billion bank based in Ohio, says in its comments: "Though this assessment is voluntary, it appears that it will be used by the OCC examiners as part of the exam process. As a result, the expectations on how this tool will be used and how 'completed and acceptable' are defined are unclear."
Meanwhile, the National Association of Federal Credit Unions expressed concern in its comments that "the FFIEC believes that if a financial institution has completed an assessment, examiners may request a copy of all relevant documentation, as they would for any risk self-assessment performed by the financial institution. We are concerned that examiners may review the financial institution's assessment and pressure the institution toward a particular maturity level, rather than evaluating their ability to identify and manage that risk."
Aligning the Tool with NIST
The comments submitted to FFIEC in recent weeks raise issues similar to those highlighted in September by the FSSCC, which asked the FFIEC to reconsider how the tool is used (see FFIEC Cyber Tool Needs Urgent Revamp).
On Jan. 15, the FSSCC submitted more comments, stressing again why the tool needs to resemble the NIST framework and why the tool should not be used as part of the IT examination process.
"The current assessment, while cross-referencing the requirements of the NIST Cybersecurity Framework, is not harmonized with the NIST Cybersecurity Framework."
And many banks say they agree that using the NIST framework as a baseline makes sense.
"NIST is a recognized standards body accepted across industry verticals, providing frameworks and standards using common definitions, meanings and terms which can be built upon and customized by adopters," says QCR Holdings' Wyffels. "Those standards enable cross-industry collaboration and understanding, regardless if you are a consumer or solutions developer. The commonalities help facilitate conversations between companies, solutions providers and regulators alike."