As of July 1, the Federal Financial Institutions Examination Council (FFIEC), in conjunction with the National Institute Standards of Technology (NIST), developed the Cybersecurity Assessment Tool to help financial institutions identify their risks and determine their cyber security preparedness.
Banks can use the assessment tool’s inherent risk profile to categorize their risk from areas of most concern to least. Once their inherent risks are identified they can rank their cyber-security maturity level from having the bare baseline of security essentials to being proactive and innovative.
Here is the breakdown of each area of the assessment tool:
- Inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats—notwithstanding the bank’s risk-mitigating controls.
- Cybersecurity maturity is evaluated in five domains: cyber-risk management and oversight; threat intelligence and collaboration; cyber-security controls; external dependency management; and cyber-incident management and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced and innovative. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.
This is an important new tool because it enables management to know where the risks are in their security program and identify what solutions they can procure to move up the maturity matrix towards being more innovative.
Another notable opportunity here is integrating these inherent questionnaires into existing risk calculations. When I worked at a global investment bank they already had a homemade risk assessment application that incorporated FFIEC handbook questionnaires. Larger, more innovative, security-mature banks and insurance companies will most likely upgrade their existing risk management programs with these new sets of questions and responses. There is a huge demand for automated risk ranking in the financial sector; large banks depend on rankings to procure solutions and make key security investment decisions.
At Carbon Black we’re happy to see the FFIEC providing this guidance to the financial sector, which aligns well with our approach. Our solutions can help financial institutions lower their inherent risk while helping them become more innovative. We can also provide out-of-the-box mappings for inherent risks and integrate with their existing risk management programs. The financial sector is a risk-based business, so providing automated risk calculations will achieve easy wins with management and enable them to focus on strategically becoming more innovative and ultimately secure in their cyber-security programs.