Governance & Risk Management , Risk Assessments
FFIEC Issues Cyber Assessment ToolRegulator: Tool to be Used in Cyber Exams in 2016
The Federal Financial Institutions Examination Council on June 30 released its much-anticipated Cybersecurity Assessment Tool, which is designed to help banking institutions of all sizes assess and identity risks and weaknesses in their cybersecurity preparedness programs.
And while use of the tool for now is optional, Tim Segerson, deputy director of the office of examination and insurance at the National Credit Union Administration, says regulators plan to incorporate the tool into their cyber exam processes as early as June 2016.
"There is no mandatory expectation for it right now," Segerson explains in this interview with Information Security Media Group. "Each regulator is addressing implementation based on each segment of the marketplace. ... But at the NCUA, by June 2016, we will likely incorporate the tool into our examination approach."
Other regulatory agencies also are expected to incorporate the tool into their examination processes as well, he says.
"We first wanted to give institutions a significant amount of time to get used to the tool, and get immersed in cybersecurity," Segerson adds.
The tool includes three main components:
- A risk profile assessment, to help institutions understand how each activity, service and product can impact risk and affect inherent risk;
- A cybersecurity maturity assessment, to determine an institution's cybersecurity maturity level; and
- Interpretation and analysis assessment, to help institutions understand whether their inherent risks are appropriate, relative to their cybersecurity maturity.
The FFIEC also provides key steps for use and better understanding of the tool. These steps include:
- An overview of cyber-risks and the cybersecurity assessment tool for CEOs and boards of directors;
- A user's guide, which explains all aspects of the tool and how it can be used by institutions to interpret and analyze their internal cybersecurity assessments; and
- An appendix section, which provides links to IT related handbooks and statements, mapping how the cybersecurity assessment tool aligns with the NIST Cybersecurity Framework, and a glossary of common cyber-related terms.
The assessment features aim to provide institutions with a repeatable and measurable process for measuring cybersecurity preparedness over time, the FFIEC says.
During this interview, Sergeson also discusses:
- How regulators are approaching cybersecurity guidance and examination procedures differently than they have for traditional IT guidance and exams;
- Why the so-called commoditization of malware and cybercrime tools is especially concerning for smaller institutions; and
- Steps the FFIEC wants to see banking institutions take to ensure employees are well educated about emerging cyber risks.
At the NCUA, Segerson oversees the day-to-day operations of the office of examination and insurance and assists the director with implementation of agency-wide policies related to examinations, supervision and insurance, and guaranty-fund risk management. He joined the NCUA in 1992, and has worked as a problem-case officer, field supervisor, and as serving director of supervision and director of risk management within the office of examination and insurance.