Pub. 4 2015 Issue 3

The CommunityBanker 16 FFIEC Cybersecurity Assessment Tool—Reader’s Digest Version O By Russ Horn, CISA, CISSP, CRISC BANK BYTES n June 30, 2015, the FFIEC released a new Cyberse- curity Assessment Tool. The tool is designed to help financial institutions, such as banks and credit unions, identify their inherent cybersecurity risk and assess their cybersecurity preparedness. The release of the tool comes on the cusp of last year’s pilot assessment on cybersecurity preparedness at more than 500 finan- cial institutions. The FFIEC Cybersecurity Assessment Tool (Assessment) is comprised of the following pdf documents: • Overview for Chief Executive Officers and Board of Directors • User’s Guide • Inherent Risk Profile • Cybersecurity Maturity • Additional Resources While the Assessment is not required, it is encouraged to help financial institutions perform a self-evaluation of their cybersecurity inherent risk and maturity. Executive manage- ment and board oversight are also a major theme of the tool. CEO and Board Responsibilities: The Assessment puts emphasis on executive and board involvement. The Overview for CEOs and Boards of Direc- tors document provides suggested roles and responsibilities for the CEO and the board. Some of the suggested responsi- bilities include: • Approve plans to use the Assessment (Board) • Develop a plan to conduct the Assessment (CEO) • Lead employee efforts during the Assessment (CEO) • Engage management in establishing the institution’s vision, risk appetite, and overall strategic direction (Board) • Set the target state of cybersecurity preparedness that best aligns to the board of directors’ stated risk appetite (CEO) • Review, approve, and support plans to address risk management and control weaknesses (CEO) • Review and approve plans to address any risk manage- ment or control weaknesses (Board) • Analyze and present results (CEO) • Review management’s analysis and determinations of the Assessment results (Board) • Oversee ongoing monitoring and changes (CEO) • Review results of management’s ongoing monitoring (Board) Inherent Risk Profile The assessment process primarily consists of two main parts: Inherent Risk Profile and Cybersecurity Matu- rity. Inherent risk levels incorporate the type, volume, and complexity of the institution’s operations including cyberse- curity threats directed at the institution. Inherent risk does not include mitigating controls and can fall in one of five risk