FREE NEWSLETTER: Econintersect sends a nightly newsletter highlighting news events of the day, and providing a summary of new articles posted on the website. Econintersect will not sell or pass your email address to others per our privacy policy. You can cancel this subscription at any time by selecting the unsubscribing link in the footer of each email.

posted on 31 October 2015

Less Risky Business: An Overview Of A New Cybersecurity Assessment Tool

from the Atlanta Fed

Cybersecurity is a high-risk concern for the financial industry and supervisors. Since the 2012 distributed denial of service attacks, institutions have placed an even greater emphasis on improving security and combating potential incidents. Firms have increased their information technology (IT) security budgets and invested in systems and personnel to address these risks. Despite these efforts, institutions are unsure whether their actions are sufficient and are still seeking a comfort level with their preparations and ongoing security programs.

The Federal Financial Institutions Examination Council (FFIEC) members have also experienced challenges in assessing whether institutions' actions are appropriate and sufficient. To assist in answering these questions, the FFIEC has developed a cybersecurity assessment tool (CAT). This tool is designed to help financial institutions determine their inherent level of cybersecurity risk and then assess the appropriateness of their cybersecurity control environments given their identified risks. The FFIEC tool is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and existing regulatory guidance. It is not a silver bullet to address all cybersecurity concerns. However, it should help firms identify controls gaps in their environment based on their inherent risk profiles.


On July 2, the Board of Governors issued SR letter 15-9 (FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors). The letter includes information on the CAT. Beginning in late 2015 or early 2016, the Federal Reserve plans to use these types of self-assessments in the review of cybersecurity preparedness in IT and safety and soundness examinations and inspections. Financial institutions and the industry will have the opportunity to provide feedback on the assessment tool. Based on comments received, the FFIEC agencies will determine whether the assessment tool should be modified. The Federal Reserve is particularly intent on working with the other agencies to tailor supervisory expectations for financial institutions with low cybersecurity risk characteristics. As appropriate, additional supervisory expectations may be implemented for financial institutions with significant cybersecurity risk.

Establishing an inherent risk profile

The first portion of the CAT process focuses on the institution's current inherent risk environment. The tool helps determine the level of cybersecurity risk based on the firm's activities, services, and products. The inherent risk categories measured in the CAT include:

  • technologies and connection type

  • delivery channels

  • online/mobile products and technology services

  • organization characteristics and

  • external threats

The assessment begins with measuring the inherent risk of technologies and connections. Certain connections may pose additional cyberrisks. The risk profile may be adjusted depending on the number of internet service providers and third-party connections and whether they are in-house or outsourced. The volume of unsecured connections and the use of end-of-life systems, cloud services, and personal devices can also increase the risk at a firm.

The second considered factor is the number and variety of delivery channels. The greater the number of online and mobile delivery channels and the use of smart ATMs, the greater the risks. Expanding the number of delivery channels also presents additional cyberthreat vectors. A financial institution's mobile or online services may also heighten risk, particularly if there is a funds transfer component.

Organizational changes can also raise the inherent cybersecurity risk at a firm. There have been instances in the past in which data breaches occurred after a merger as a result of a lack of control over the newly consolidated environment. In the postmerger environment, compiling a comprehensive inventory of hardware can be challenging. An overlooked server can go without security updates for a significant amount of time, which opens the door to a data breach. Also, in a postmerger environment, changes in staffing or the use of contractors can lead to excessive user-access privileges being granted and then overlooked. Lastly, organizational changes can also affect morale, which may increase the potential of an insider security threat.

The last inherent risk factor comes from external threats. A large multinational financial institution will have a higher risk profile than a small community bank in a rural setting. Both firms will always face the potential for a cyberattack. However, the small community bank may be unknown outside of its market area and face fewer threats.

Considering cybersecurity maturity

The second portion of the CAT focuses on assessing the cybersecurity maturity of a firm's control environment. The maturity levels are defined as:

  • baseline

  • evolving

  • intermediate

  • advanced and

  • innovative

The baseline maturity level means that a firm is in compliance with regulatory guidance. An evolving firm is characterized by additional formalities of documented procedures and policies that exceed regulatory requirements. An institution with an intermediate state of maturity has a detailed, formal process in place where controls are consistent and validated. In a firm with advanced cybersecurity maturity, cybersecurity practices and analytics are integrated across all lines of business. A firm at the innovative level of maturity demonstrates innovation in people, processes, and technology in its management of cybersecurity risk. These firms are at the leading edge in developing and implementing new controls, tools, and information-sharing groups to address cyberrisk.

The maturity assessment also includes the following domains, for which cybersecurity maturity is measured. These domains include:

  • cyberrisk management and oversight

  • threat intelligence and collaboration

  • cybersecurity controls

  • external dependency management and

  • cyberincident management and resilience

Cyberrisk management and oversight is the governance infrastructure that a firm has in place to oversee cyberrisk. Threat intelligence is the capability to monitor, acquire, analyze, and track the potential cyberthreat landscape and how it might affect the firm. Cybersecurity controls are the measures in place to deter and prevent a cyberattack. External dependency management relates to how well a firm manages its vendors and includes an assessment of the robustness of its vendor management program. The last domain is cyberincident management and resiliency, which concerns the steps management takes to identify, prioritize, respond to, and mitigate cyberthreats and vulnerabilities when they occur.

Using the CAT

The CAT provides management and boards of directors with a repeatable and measurable process to determine whether firms are applying sufficient resources and have the appropriate controls to manage cybersecurity risk. The CAT can help inform management and the board of their institution's level of inherent cyberrisk. The board may then consider this information and, given its risk appetite, determine the appropriate level of cybersecurity maturity needed to manage the firm's particular risk environment. Not all firms are expected to be at an innovative level of maturity. In fact, very few need to strive for this level. The chart below (taken from the FFIEC Cybersecurity Assessment Tool, June 2015, OMB Control 1557-0328) helps to define the appropriate levels of maturity based on the inherent cybersecurity risk identified.

Once the board determines the desired maturity level, management can then measure the current processes against this level, identify any gaps, and take action to move the firm's control environment toward the desired outcome.

Currently, the Fed examines many financial institutions and technology service providers in the southeastern United States. For these firms, hurricanes are a known risk. As a result, these institutions have very robust business continuity and disaster recovery plans. Plans are tested annually and are often activated because of weather events. Given this operating environment, these firms have learned to adapt quickly and resume operations with minimal impact on customers in the aftermath of a weather event. Financial institutions must reach this same level of maturity for managing cybersecurity risk. Firms should assume that it is only a matter of time before they experience a cyberevent. In the ideal state of maturity, when a cyberevent happens, firms will be prepared to react quickly, minimize impact, and resume operations as soon as possible. The CAT is a good first step toward moving the financial industry to this state of maturity.

In the future, the FFIEC will update the tool and the IT Examination Handbook based on the cybersecurity threat landscape. Additional information on the CAT and improving cybersecurity risk management is available.


Views expressed do not necessarily reflect the views of the Bank or the Federal Reserve System.


About the Author

By Brian Bettle, senior examiner in the Atlanta Fed's supervision and regulation division

>>>>> Scroll down to view and make comments <<<<<<

Click here for Historical News Post Listing

Make a Comment

Econintersect wants your comments, data and opinion on the articles posted.  As the internet is a "war zone" of trolls, hackers and spammers - Econintersect must balance its defences against ease of commenting.  We have joined with Livefyre to manage our comment streams.

To comment, using Livefyre just click the "Sign In" button at the top-left corner of the comment box below. You can create a commenting account using your favorite social network such as Twitter, Facebook, Google+, LinkedIn or Open ID - or open a Livefyre account using your email address.

You can also comment using Facebook directly using he comment block below.

Econintersect Contributors


Print this page or create a PDF file of this page
Print Friendly and PDF

The growing use of ad blocking software is creating a shortfall in covering our fixed expenses. Please consider a donation to Econintersect to allow continuing output of quality and balanced financial and economic news and analysis.

Take a look at what is going on inside of
Main Home
Analysis Blog
Comments on Feyerabend’s ‘Against Method’, Part III
Taking a Wrench to Healthcare
News Blog
Case-Shiller Home Price Index August 2016 Year-over-Year Rate of Growth Marginally Improves
Russia Falls Into Old Habits
Infographic Of The Day: Commodity Update, Is The Summer Slump Over
Early Headlines: Asia Stocks Mixed, Oil Mixed, Voting Fraud, Pres. Forecast Little Changed, CETA Not Dead, Generous Iraqis, Terrorists In Pakistan, Duterte Wants Divorce From US And More
October 24, 2016 Weather and Climate Report - La Nina / El Nino?
Most Read Articles Last Week Ending 22 October
Londoners Most Uneasy About Chatting To Strangers
Average Gasoline Prices for Week Ending 24 October 2016 Now Higher Than One Year Ago
Earnings And Economic Reports: Week Starting 24 October 2016
New Findings: Anxiety Is Linked To Death From Cancer In Men
Nearly 1 In 6 European Adults Is Considered Obese
Acupuncture Is Useless
September 2016 CFNAI Super Index Moving Average Declines
Investing Blog
Slow Motion Torture
The Week Ahead: How Long For This Trading Range?
Opinion Blog
What Triggers Collapse?
The Beer Goggles Stock Market
Precious Metals Blog
Preparing For Post-Election Social Unrest
Live Markets
25Oct2016 Pre-Market Commentary: Wall Street Pensive Awaiting Corporate Earnings And Economic News
Amazon Books & More

.... and keep up with economic news using our dynamic economic newspapers with the largest international coverage on the internet
Asia / Pacific
Middle East / Africa
USA Government

Crowdfunding ....



Analysis Blog
News Blog
Investing Blog
Opinion Blog
Precious Metals Blog
Markets Blog
Video of the Day


Asia / Pacific
Middle East / Africa
USA Government

RSS Feeds / Social Media

Combined Econintersect Feed

Free Newsletter

Marketplace - Books & More

Economic Forecast

Content Contribution



  Top Economics Site Contributor TalkMarkets Contributor Finance Blogs Free PageRank Checker Active Search Results Google+

This Web Page by Steven Hansen ---- Copyright 2010 - 2016 Econintersect LLC - all rights reserved