Observations from Our Review of Completed Cybersecurity Assessments

By: Mike Detrow, Senior Consultant and Manager of IT

Financial institutions have begun the process of completing the Cybersecurity Assessment Tool provided by the FFIEC and some are struggling to complete it accurately. In this article, I will discuss the process for using the tool, as well as some of our observations from the review of these completed assessments.

Using the Tool
The Cybersecurity Assessment Tool was designed to help financial institutions identify their Inherent Risk Profile and evaluate their level of Cybersecurity Maturity. The end result is for financial institutions to understand the relationship between the risks associated with the activities, services, and products offered and the adequacy of the controls used to mitigate these risks. During the completion of the tool, management must collaborate with personnel from all internal departments and include third parties that are providing risk management services, such as IT service providers.

Determine the Inherent Risk Profile
The assessment process begins with the identification of the institution’s Overall Inherent Risk Profile. The tool identifies five categories for the activities, services, and products in place at the institution. For each activity, service, or product, management must select the most appropriate inherent risk level based upon the options listed within the tool. Once this process is complete, management must determine the Overall Inherent Risk Profile based on the number of applicable statements in each risk level. As an example, if the majority of activities, products, or services fall within the Minimal risk level, management may determine that the institution has a Minimal Overall Inherent Risk Profile. As each category may pose a different level of inherent risk, management should consider evaluating whether a specific category poses additional risk in addition to evaluating the number of instances selected for a specific risk level.

Determine Cybersecurity Maturity Level
The second part of the assessment is to evaluate the institution’s Cybersecurity Maturity Level for each of the five domains identified within the tool by indicating whether or not the institution has attained each of the Declarative Statements within a specific maturity level for that domain. To attain a specific Cybersecurity Maturity Level for a domain, 100% of the Declarative Statements within that maturity level must be attained.

Determine Relationship Between the Two Parts
The tool includes an illustration showing the relationship between the Inherent Risk Level and the Cybersecurity Maturity Level. As an example, if an institution has determined that it has a Minimal Overall Inherent Risk Profile, the recommended Cybersecurity Maturity Level range for each domain is Baseline to Intermediate. As an institution completes the assessment, the first goal should be to ensure that the Baseline Cybersecurity Maturity Level is attained for each of the five domains identified by the tool as the Baseline level identifies the minimum expectations required by law, regulations, or supervisory guidance. If an institution has not yet reached the Baseline level at the time of the Cybersecurity Assessment completion, an action plan should be developed to implement the requirements to attain the Baseline level. Once the institution has attained the Baseline level, management can determine the target Cybersecurity Maturity Level and develop an action plan to attain that level. In the example above, for an institution with an Overall Inherent Risk Profile of Minimal, management may determine that their target Cybersecurity Maturity Level is Evolving. It is important for financial institutions to understand the relationship between the Overall Inherent Risk Profile and the recommended Cybersecurity Maturity Level identified in this tool to recognize that regulators will not expect an institution with a Least or Minimal Overall Inherent Risk Profile to attain a Cybersecurity Maturity Level of Advanced or Innovative.

The primary issue that we have identified through our review of completed Cybersecurity Assessments is the misinterpretation of the Declarative Statements. Each of the Declarative Statements within the Baseline level has a reference to the associated FFIEC Information Security Booklet, which allows institutions to locate additional information about the requirements to attain the statement. Management should review the references to the FFIEC Information Security Booklets to fully understand the meaning of each Declarative Statement. Interpretation of the Declarative Statements for Cybersecurity Maturity Levels above Baseline may require assistance from a third party or additional research.

We have found that a number of institutions with Inherent Risk Profiles of Least or Minimal have selected Yes for many Declarative Statements that the institution has not yet attained. If management is unsure of the meaning of a Declarative Statement, appropriate expertise should be sought before selecting Yes. Incorrectly indicating that the institution has attained a Declarative Statement will eventually lead to audit and examination findings.
Small community financial institutions should thoroughly evaluate a number of the Baseline level Declarative Statements before indicating that they have been attained. To view a list of these Declarative Statements, click here.

Completion of the FFIEC’s Cybersecurity Assessment Tool is a new process for financial institutions that will require feedback from the institutions that use the tool, as well as additional clarification from regulatory agencies. Institutions that spend time with examiners and risk management providers to understand and complete the tool accurately should gain a better understanding of their current cybersecurity risk level and be able to identify additional mitigating controls that can be implemented to prevent or reduce the impact of a cyberattack.

For more information on this article and/or how Young & Associates can assist your bank, contact Mike Detrow at 1.800.525.9775 or click here to send an email.