FFIEC Releases Cyber security Assessment Tool

FFIEC Releases Cyber security Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC), has released a Cyber security Assessment Tool, following last year’s pilot assessment of Cyber security preparedness at over 500 institutions.

Related content

Hu monitors above trading desk

Concerned about the growing scope and impact of Cyber security risk, the FFIEC aims at increasing awareness of Cyber threats, helping institutions galvanize their digital shields, averting disruption to essential services, enhancing the state of industry preparedness and strengthening regulatory oversight.

In a world of intensifying systemic interdependencies and contagious vulnerabilities, disruption-inducing Cyber threats – defined in terms of sophistication, fast integration capabilities and volume – spell out a modest truth: financial institutions must better understand regulatory intent and supervisory expectations in order to mitigate encountered risks.

The primary aim of the Assessment tool is to assist institutions in identifying Cyber security risks and evaluating their defence capabilities. It consists of two parts:

  1. Risk profile, supporting the identification of an institution’s level of Cyber security risk;
  2. Cyber security maturity, helping senior management determine their organisation’s controls and defence levels.

Depending upon their scale of operations, under FFIEC Assessment tool taxonomies many financial institutions will see their inherent risk ranked high. This will drive institutions to intermediate and advanced levels of Cyber security – which sets quite demanding requirements on financial institutions. Although many large financial institutions may find the Governance and risk management provisions familiar, the threat intelligence and technical Cyber security control requirements are far more demanding.

Threat intelligence is an immature discipline in many organisations; while the FFIEC model will trigger useful debates around how this function might develop, it is likely that much more time will be required for the community to develop to the point whereby it could score highly against FFIEC’s criteria.

The tool’s Cyber security control requirements push banks in the direction of a much broader network and application segregation than is often found in their global infrastructure, an aggressive approach to vulnerability management and red teaming, and a demanding set of auditing, logging and monitoring requirements. Third party security holds a high profile in the FFIEC model, however some banks will struggle to meet the requirements of the intermediate, let alone advanced, requirements of the model. In reality, without significant investment in security improvements – technology, people and process – many organisations will struggle to meet the model’s requirements.

Cyber security robustness is recognised as essential for financial stability. Consequently, the FFIEC model is a clear signal to the community that a higher level of Cyber security is expected of our largest financial institutions, even if component parts of the model remain challenging.

The new Cyber security Assessment tool goes live in Q4 2015. The Federal Reserve plans to utilise its specifications in evaluating financial institutions’ Cyber security resilience and conducting ‘safety and soundness’ examinations and supervisory inspections. Significantly, FFIEC members plan to hold tool methodologies under review, in line with the nature of threats engendered by evolving operational environments.

Regulatory Challenges

KPMG’s FS Regulatory CoE provides insights into the implications of regulatory change.

 
Read more

Wholesale markets and infrastructure

Stable and robust markets are critical to the well-being of the financial system.

 
Read more

Connect with us

 

Request for proposal

 

Submit

KPMG's new digital platform

KPMG's new digital platform