Changes to FFIEC Cybersecurity Tool help banks meet baseline.
A just released update to the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool will should help make meeting regulators’ demands for “baseline” cybersecurity more attainable. The changes only impact Appendix A of the tool but those changes make a difference for smaller institutions.
For example, many smaller institutions were not able to meet the tool’s requirement for having a data-flow diagram. Many smaller institutions do not have data-flow diagrams. They may have network diagrams or network topologies but if they don’t have a data flow diagram, they can’t reach baseline in the cybersecurity maturity level rating.
Now, due to the updates to Appendix A, banks and credit unions don’t have to prove that they have a data-flow diagram. They just have to prove that there are compensating controls. So in the absence of a data-flow diagram they may be able to meet this requirement with a detailed network topology.
The tool, which the FFIEC introduced in June 2015, has been criticized by some security experts for its vagueness and diversion from other well-established cybersecurity assessment frameworks, such as the NIST Cybersecurity Framework.
The tool also has been criticized by banks and credit unions, which claim its use does not seem voluntary, as regulators have repeatedly insisted.
While the FFIEC’s Cybersecurity Assessment Tool may have flaws it’s important for all institutions to use the tool to assess their own cybersecurity preparedness. It can give institutions a different perspective on additional threats that they might be facing. Walk through it; talk about the different items. Take two or three different sessions to complete it. Don’t think you need to get it all done at one time.
Work with your IT committee and senior management to discuss each area and understand, ‘Are we actually compliant with these particular areas? And if we do want to move to a higher complexity organization or services that may increase our inherent risk level, what is it we might need to do, then, in order to meet that from a cybersecurity maturity level standpoint?’
The changes made should make it easier for smaller institutions to reach the baseline. In the meantime if you have any questions about cybersecurity or audit preparation give ITPAC a call today.