Assessing FFIEC Compliance & Risk Factors

In an effort to get financial institutions ahead of the game in the face of ever-more sophisticated cybersecurity threats, the FFIEC released an Assessment Tool to allow institutions to check their technological environment for risk factors (the full version of this tool can be found at https://www.ffiec.gov/cyberassessmenttool.htm). It will task you to determine your environment’s security and risks through the following facets:

Inherent Risk Profile

  • Technologies and Connections Types: How many active ISP (Internet Service Provider) connections are present in an institution? In layman’s terms: how many employees use the internet to do their jobs? How often do employees or devices connect externally without a security protocol? Do employees use Wi-Fi to connect to the internet or do their workstations have a hard line in? How many personal devices can be connected to an institution’s network, and what applications can they use while connected? Do third parties such as vendors or subcontractors have dedicated access to your network? What about customers? Do your workstations use internally hosted and developed applications to monitor vendor activities? How many workstations are approaching their EOL (end-of-life)? Do employees use open-source software in their daily tasks? How many network devices are in play, such as firewalls, servers and routers? How many Cloud providers do you use? These are all questions that should be answered to determine the inherent risk that exists within an institution’s digital environment. Good rule of thumb: the fewer connections, the more secure the network is.
  • Delivery Channels: What is your customer facing presence online? Do you have a website? Does it serve as merely an informational platform? A social media page? Does it allow your customers to manage their banking online? Do you allow the same kind of access and delivery on mobile devices? Does your institution provide ATM service, whether through machines or other avenues? How customers interact with these delivery channels also affects the inherent risk of your institution. Good rule of thumb: the less customers do on these channels, the greater the security.
  • Online/Mobile Products and Technology Services: Does your institution issue debit and/or credit cards? What about prepaid cards? Do the services provided include newer technologies that are still being worked on, such as digital wallets? Can customers engage in Person-to-Person payments, such as apps like Venmo? Can customers initiate ACH or wholesale payments? Can merchants utilize remote deposit capture through your institution? Does your institution manage trusts? Does it act as a correspondent to another bank for transfers? While providing multiple services enhances the customer experience, you must also understand that each service bears its own inherent risk to your digital environment’s security.
  • Organizational Characteristics: How many direct employees does your institution currently use? Are there any mergers or acquisitions planned? Are the IT and security teams properly staffed? How many employees get administrator-level access to the network? Is your IT environment currently stable, or is it undergoing significant changes? How many branch/business locations does your institution run? How many operations centers or data centers does it run? How an institution is organized and staffed is a large factor in determining inherent risk.
  • External Threats: How many attempted attacks or instances of reconnaissance occur on a monthly basis? When talking about cybersecurity this is usually the first thing that comes to mind, but it is only one part of the larger picture when determining an institution’s inherent risk factors.

Cybersecurity Maturity

This second part of the assessment tool determines an institution’s cybersecurity maturity through assessments across five different domains: Risk Management & Oversight, Threat Intelligence & Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management & Resilience.

  • Risk Management & Oversight: Who in management is responsible for overseeing implementing and managing security programs? How often do these team members meet? What kind of budget are they working with to manage these tools? How comprehensive are the internal audits on the network, and how often are audits performed? How comprehensive is employee training in risk mititgation? Institutions who are on the front edge of risk mitigation and oversight regularly discuss ways to develop cybersecurity improvements that can be applied sector-wide, proactively instead of response to specific threats or incidents.
  • Threat Intelligence and Collaboration: How efficiently is intelligence on current security threats procured? What sources are used for this information? How often are audit log records and security event logs analyzed? How are updates in cyber threat intelligence shared across the institution as a whole?
  • Cybersecurity Controls: How comprehensive is an institution’s protocol on risk-scoring it’s infrastructure assets? Does it update in real time based on those results? How quickly are the riskier assets disconnected or otherwise dealt with? What employees have access to what data? If malicious behavior is suspected, how is that employee’s threat mitigated? How is data removed or managed on a device when it is suspected to be compromised? How secure is your network’s internal coding, and how often is it updated based on cybersecurity intel? How comprehensive are the tools that detect vulnerabilities? While an institution can take several steps to mitigate or remove risk factors, the ability to respond quickly and thoroughly to specific security events is equally critical.
  • External Dependency Management: What business processes or elements depend on external connections? How are third party connections authorized or secured? Is there an actively updated schematic that identifies all external connections? How is due diligence performed to determine a third party’s risk factors before allowing access? How are contracts with third parties crafted and enforced? How is the risk management for third party connections updated? Many institutions rely on third party vendors or contractors to provide the full breadth of services to their customers that they seek to, but it is critical that these connections be as secure as any within the institution’s internal network.
  • Cyber Incident Management and Resilience: How does an institution respond to specific cyber incidents? What communication channels exist to ensure employees can report incidents in a timely manner? Is there a specific response team ready to address incidents on behalf of each of an institution’s sectors? How capable is an institution of moving various functions to other processing or data centers in the event of a cyber incident? How quickly can automated systems detect attacks and inform management and the response team? In the aftermath of an incident, what protocols are in place to mitigate access and use of compromised information? These factors will determine how quickly an institution can respond to a specific cyber incident, in addition to how effectively it can mitigate the fallout of compromised systems by re-securing data and keeping management, the response team, and as necessary customers informed.