Back in 2015, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool. Designed to assist financial institutions of all sizes identify and assess risks and weaknesses in their cybersecurity posture, it has notably been met with widespread confusion and complaints.
The FFIEC has recently tried to clear some of this up by releasing a “Frequently Asked Questions” guide to the tool, with mixed results.
These complaints include everything from critiques on the effectiveness of the tool to confusion over whether it is truly voluntary or not and frustration over the amount of time needed to collect and input data into the tool itself.
Banking institutions have also been wondering exactly how this tool should be used to address areas of risk and if it should be used as a part of federal regulators’ examinations.
Realizing the knowledge gap was causing widespread consternations, the FFIEC created the FAQ for the tool. Banks and Credit Unions may still find this lacking, however, as this guide does not answer every question an organization might have about this tool, though it does contain information that a variety of FFIEC agencies found most important.
One of the key points outlined in the FAQ is the clarification that the tool is not mandatory or a required part of the IT examination process. This is a big relief for banks who have had trouble fitting all of their relevant information into the tool.
Furthermore, the FAQ seeks to clarify any inconsistencies there might be in how organizations rate their cybersecurity practices and posture – whether it be too generously or too low. The FFIEC found these inconsistencies were occurring when banking institutions who have limited knowledge of their security profile – due to outsourcing this work to third party cybersecurity firms – filled out this form themselves.
Despite the FFIEC’s attempts to shed some light on how their tool can be used, there is still a decided lack of clarity over issues like what this tool could potentially evolve into and if it will become automated at some point.
Should you get used to using it now, or potentially pay the consequences later playing catch up? The truth is you should prepare for this eventuality and become familiar with this tool now, especially as cyberattacks continue to increase and become more common and the FFIEC feels more pressure to add this into their checkups.
If you’re struggling to understand the complexities of this tool, BAI Security can help. Contact us at firstname.lastname@example.org to find out how we can ease some of these concerns and help you review your Cyber Security Assessment Tool. We’re here to help you get a better understanding of your inherent risk level and maturity score and to provide helpful recommendations on how to improve your security posture.