A Standardized Approach
On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness.” On the surface the this seems very logical and straightforward, but in fact this may have provided more confusion and complication than clarification on regulator expectations.
Here is some background. Back in the summer of 2014, the FFIEC piloted a cybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. As a result of the Cybersecurity Assessment, FFIEC members found that many financial institutions (and most community institutions) would benefit from a standardized approach to cybersecurity assessment. As a result, in 2015 (and subsequently updated in 2017) the FFIEC:
This Tool has since become the defacto standard for all primary federal regulatory agencies since. This isn’t surprising, since FFIEC members consist of all federal regulatory agencies, plus the CFPB and state agencies.
Similarly, the OCC stated in 2015:
The NCUA advised back in 2018 that:
(The NCUA also subsequently developed their own tool called the ACET, modeled word-for-word on the FFIEC Tool.)
Finally, while the FDIC did state that use of the Tool was voluntary, they indicated that:
One more thing… Since the Tool is “officially” voluntary, when asked in a regulator panel discussion earlier this year what other standards or tools examiners were seeing instead of the FFIEC, all the examiners (including the FDIC) admitted that the only assessment methodology they’ve seen is the FFIEC.
A Variety of Options
Clearly the Tool is now, and has always been, the defacto standard, and here is where the press release complicates things. First, I’ve always been a proponent of the Tool in the sense that any attempt to standardize examiner expectations is a good thing, because shared standards will usually result in less misinterpretation, and fewer deviations from those expectations, i.e. fewer exam findings! But now the agencies seem to be backing away from a single standard, stating instead that “Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness.” They list the following as possible standardized tools:
- FFIEC Cybersecurity Assessment Tool
- National Institute of Standards and Technology Cybersecurity Framework
- Financial Services Sector Coordinating Council Cybersecurity Profile
- Center for Internet Security Critical Security Controls
Most confusing of all, the FFIEC even seems to be backing away from their own tool, stating that “…the FFIEC does not endorse any particular tool…”
What You Should Do
In summary, what should institutions do to adapt to this free-for-all of cyber preparedness standards? In short, nothing. If you’re already using the FFIEC Tool (or a service based on the FFIEC tool, like this), keep using it. Of the 4 competing standards, only the FFIEC Tool is specific to depository financial institutions. Additionally, using a different standard, while permitted, may invite additional scrutiny if the regulator is not well versed on that standard. And anything that invites additional scrutiny is not something most institutions prefer.
One final thought… Regardless of what tool you utilize, don’t forget that completing the assessment is only the first step in the cybersecurity preparedness process. As we have discussed before, determining where the gaps are in your program, and making a plan to close those gaps, are the next steps!