Data Protection Report - Norton Rose Fulbright

On June 30, 2015, the Office of the Comptroller of Currency (“OCC”) announced that the Federal Financial Institutions Examination Council (“FFIEC”) issued a Cybersecurity Assessment Tool that would allow institutions to evaluate their risks and cybersecurity preparedness in OCC Bulletin 2015-31.  This Cybersecurity Assessment Tool will be incorporated into future OCC examinations of national banks, federal savings associations, and federal branches and agencies in an attempt to benchmark and assess cybersecurity efforts.  The OCC anticipates incorporating the Cybersecurity Assessment Tool into examinations starting in late 2015.

The FFIEC, which is comprised of principals from the following: the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee, prepared the Cybersecurity Assessment Tool as part of a larger effort to enhance cybersecurity.  In 2014, the FFIEC piloted a cybersecurity examination work program that, in addition to creating the Cybersecurity Assessment Tool, is working to enhance incident analysis, crisis management, training, and policy development, to improve collaboration with other government agencies and communicate about the importance of cybersecurity awareness and best practices among financial industry participants, regulators, and other government agencies.  Additional information regarding the FFIEC’s efforts, including cybersecurity resources and additional information regarding the cybersecurity assessment conducted in 2014, are available on the FFIEC website.

The Cybersecurity Assessment Tool consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.  The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls.  Inherent risk profile identifies the amount of risk posed to an institution by the types, volume, and complexity of the institution’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats—notwithstanding the institution’s risk-mitigating controls.  The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place.  The Cybersecurity Maturity component is designed to assign one of  five levels of maturity (baseline, evolving, intermediate, advanced, and innovative) to each of the five domains: (Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience).

To complete the Assessment, management must first assesses the institution’s inherent risk profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each the five domains.  Ideally, an institution’s riskiest domains should have the most mature cybersecurity level as reflected in the figure below.

If the evaluation shows that an institution’s maturity levels are not appropriate in relation to the inherent risk profile, the FFIEC recommends that management consider reducing inherent risk or developing a strategy to improve the maturity levels by determining target maturity levels,  conducting a gap analysis, prioritizing and planning actions, and implementing necessary changes.

The Cybersecurity Assessment Tool is designed to provide a measurable and repeatable process to assess an institution’s level of cybersecurity risk and preparedness. The FFIEC suggests that an institution complete it periodically and as significant operational and technological changes occur to ensure that it remains an effective risk management tool.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.