The Federal Financial Institutions Examination Council (FFIEC), has released a Cyber security Assessment Tool, following last year’s pilot assessment of Cyber security preparedness at over 500 institutions.
Concerned about the growing scope and impact of Cyber security risk, the FFIEC aims at increasing awareness of Cyber threats, helping institutions galvanize their digital shields, averting disruption to essential services, enhancing the state of industry preparedness and strengthening regulatory oversight.
In a world of intensifying systemic interdependencies and contagious vulnerabilities, disruption-inducing Cyber threats – defined in terms of sophistication, fast integration capabilities and volume – spell out a modest truth: financial institutions must better understand regulatory intent and supervisory expectations in order to mitigate encountered risks.
The primary aim of the Assessment tool is to assist institutions in identifying Cyber security risks and evaluating their defence capabilities. It consists of two parts:
Depending upon their scale of operations, under FFIEC Assessment tool taxonomies many financial institutions will see their inherent risk ranked high. This will drive institutions to intermediate and advanced levels of Cyber security – which sets quite demanding requirements on financial institutions. Although many large financial institutions may find the Governance and risk management provisions familiar, the threat intelligence and technical Cyber security control requirements are far more demanding.
Threat intelligence is an immature discipline in many organisations; while the FFIEC model will trigger useful debates around how this function might develop, it is likely that much more time will be required for the community to develop to the point whereby it could score highly against FFIEC’s criteria.
The tool’s Cyber security control requirements push banks in the direction of a much broader network and application segregation than is often found in their global infrastructure, an aggressive approach to vulnerability management and red teaming, and a demanding set of auditing, logging and monitoring requirements. Third party security holds a high profile in the FFIEC model, however some banks will struggle to meet the requirements of the intermediate, let alone advanced, requirements of the model. In reality, without significant investment in security improvements – technology, people and process – many organisations will struggle to meet the model’s requirements.
Cyber security robustness is recognised as essential for financial stability. Consequently, the FFIEC model is a clear signal to the community that a higher level of Cyber security is expected of our largest financial institutions, even if component parts of the model remain challenging.
The new Cyber security Assessment tool goes live in Q4 2015. The Federal Reserve plans to utilise its specifications in evaluating financial institutions’ Cyber security resilience and conducting ‘safety and soundness’ examinations and supervisory inspections. Significantly, FFIEC members plan to hold tool methodologies under review, in line with the nature of threats engendered by evolving operational environments.