Oklahoma Bankers Association
OBA News and Information
Linked In Email News

Cybersecurity assessment tool released by FFIEC

The agencies of the Federal Financial Institutions Examination Council on July 5 released a free cybersecurity self-assessment tool to help financial institutions of all sizes identify the cyber risks they face and assess their preparedness. In a nutshell, banks engaging in more cyber activities or in higher risk areas are expected to be implementing additional risk mitigation controls.

The real target of this new assessment tool and process is the bank's board of directors. Importantly, bank board members are expected to use this new tool to recognize, review and assess the bank's cyber security risks and then determine the kinds of mitigating controls the bank has put in place to guard against “hacks.”

The tool itself includes a profile of a bank's inherent risks. The assessment is keyed to the characteristics of individual financial institutions, such as technology profile, product lines and size. The tool includes a template for a bank to use in doing its self-assessment and establish its inherent risk profile.

The announcement and the available resources can be viewed at http://www.ffiec.gov/cybersecurity.htm.

Briefly, there are five dimensions of cybersecurity maturity measured by this new tool. It also includes suggestions for bankers to use when trying to evaluate and make sense out of its results.

The new tool also maps the maturity levels to the voluntary cybersecurity benchmarks developed by the National Institute of Standards and Technology. It's also significant that this new tool includes a template dealing with the maturity of cybersecurity issues. It will identify and analyze controls the bank already has in place to implement risk-mitigating practices like firewalls, how they are set up, how they are tested and what steps are taken to make sure they are being properly monitored.

This new cybersecurity assessment begins immediately (2015), and it's just one area of the OCC's new focus as recently announced by Comptroller Tom Curry. The OCC will also focus on the following areas:

  • Cyber security and cyber threats;
  • Strategic planning;
  • Credit underwriting;
  • Operational risk;
  • BSA/AML together with overall regulatory compliance;
  • Interest rate risk;
  • Fair lending; and
  • Responsiveness to matters requiring attention.

Our guess is that other federal banking regulators will also be looking at these same essential elements of bank operations across the board. For example, the FDIC issued revised examination procedures for the TILA-RESPA integrated disclosures that are now proposed to take effect on Oct. 3 of this year.

What seems to be driving these changes is the increasing competition for good loans, particularly in the C&D space, as well as implementation of the new TILA/RESPA integrated disclosure rules. In Texas and Oklahoma, the drop in oil and gas prices is squarely in the regulatory crosshairs to see what impact it's having on banks in these two states, among others.

BankOnIT, in Oklahoma City, also did a mention of this assessment tool in its blog. You can see it by clicking here.

Back to top