Skip to main content

FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

A Standardized Approach

On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness.” On the surface the this seems very logical and straightforward, but in fact this may have provided more confusion and complication than clarification on regulator expectations.

Here is some background. Back in the summer of 2014, the FFIEC piloted a cybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. As a result of the Cybersecurity Assessment, FFIEC members found that many financial institutions (and most community institutions) would benefit from a standardized approach to cybersecurity assessment. As a result, in 2015 (and subsequently updated in 2017) the FFIEC:

“…developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”

This Tool has since become the defacto standard for all primary federal regulatory agencies since. This isn’t surprising, since FFIEC members consist of all federal regulatory agencies, plus the CFPB and state agencies.

Here is what the Federal Reserve said back in 2015:

“Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness…”

Similarly, the OCC stated in 2015:

“The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.”

The NCUA advised back in 2018 that:

“NCUA examiners will use the (FFIEC’s cybersecurity assessment tool) as a guide for assessing cybersecurity risks in credit unions.”

(The NCUA also subsequently developed their own tool called the ACET, modeled word-for-word on the FFIEC Tool.)

Finally, while the FDIC did state that use of the Tool was voluntary, they indicated that:

“FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”

One more thing… Since the Tool is “officially” voluntary, when asked in a regulator panel discussion earlier this year what other standards or tools examiners were seeing instead of the FFIEC, all the examiners (including the FDIC) admitted that the only assessment methodology they’ve seen is the FFIEC.

A Variety of Options

Clearly the Tool is now, and has always been, the defacto standard, and here is where the press release complicates things. First, I’ve always been a proponent of the Tool in the sense that any attempt to standardize examiner expectations is a good thing, because shared standards will usually result in less misinterpretation, and fewer deviations from those expectations, i.e. fewer exam findings! But now the agencies seem to be backing away from a single standard, stating instead that “Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness.” They list the following as possible standardized tools:

Most confusing of all, the FFIEC even seems to be backing away from their own tool, stating that “…the FFIEC does not endorse any particular tool…”

What You Should Do

In summary, what should institutions do to adapt to this free-for-all of cyber preparedness standards? In short, nothing. If you’re already using the FFIEC Tool (or a service based on the FFIEC tool, like this), keep using it. Of the 4 competing standards, only the FFIEC Tool is specific to depository financial institutions. Additionally, using a different standard, while permitted, may invite additional scrutiny if the regulator is not well versed on that standard. And anything that invites additional scrutiny is not something most institutions prefer.

One final thought… Regardless of what tool you utilize, don’t forget that completing the assessment is only the first step in the cybersecurity preparedness process. As we have discussed before, determining where the gaps are in your program, and making a plan to close those gaps, are the next steps!