The FDIC & FFIEC have released a Cybersecurity Assessment Tool to help financial institutions with less than $1 Billion in total assets identify their cybersecurity risks and determine their preparedness. The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level. To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories: 1.)Technologies and Connection Types 2.) Delivery Channels 3.) Online/Mobile Products and Technology Services 4.) Organizational Characteristics 5.) External Threats. Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains: 1.) Cyber Risk Management and Oversight 2.) Threat Intelligence and Collaboration 3.) Cybersecurity Controls 4.) External Dependency Management 5.) Cyber Incident Management and Resilience.
Learn More About the Cybersecurity Assessment Tool
The FDIC encourages institutions to comment on the usability of the Cybersecurity Assessment Tool, including the estimated number of hours required to complete the Assessment, through a forthcoming Federal Register Notice. FDIC-supervised institutions may direct questions on the FFIEC Cybersecurity Assessment Tool through https://fdicsurveys.co1.qualtrics.com/jfe/form/SV_4JgpIWXWB9Gjps1.