There has been a significant rise in the number and complexity of Cybersecurity threats over the last several years in the financial services industry.
Institutions have been in need of a tool that can aid in identifying all the different risk types and how to develop a plan to be prepared for this continuously growing number of threats.
Finally, a tool has been developed for these intuitions, especially for Credit Unions. The Federal Financial Institutions Examination Council (FFIEC) has designed and developed an assessment tool called the FFIEC Cybersecurity Assessment Tool (CAT).
This tool encompasses security controls to identify the possible risks, assess the current plan, and evaluate the plan against the risks. It also defines the proper controls to improve and mitigate the risks and communicate the improved plan with the institution. The main purpose of this tool is to give insight to the Institution’s Management team on how to maintain, but also to continually improve the overall security against Cyber threats.
“FFIEC Cybersecurity assessment is a critical component of every examination. The examiners expect both documentation and technical responses according to ACET. ACET is aligned with FFIEC CAT. Automating both ACET and FFIEC CAT for the entire credit union has been critical in maintaining compliance.
Credit unions with $1B AUM or less need to quickly automate FFIEC before requirements become too burdensome to manage. The maturity and risk levels help in right-sizing the effort however to effectively manage risk, automation has been the key.” Lisa Williamson, Chief Risk Officer at Bayer Heritage Credit Union
So, you may be asking how do you implement the FFIEC CAT within your organization? Well, there are two main parts: Inherent Risk Profile, which includes risk profiles and levels; and Cybersecurity Maturity, which entails different domains and maturity levels.
What Is FFIEC: Inherent Risk Profiles
A. Risk Profiles
a. Technologies and connection types
b. Delivery Channels
c. Online/Mobile Products and Technologies Services
d. Organizational Characteristics
e. External Threats
Technologies and Connection Types:
- This profile illustrates how particular connections add higher risk than other connections, based on characteristics like complexity and the function of the technology the connection is used for.
- This includes the number of personal devices, unsecured connections, Internet service providers, network devices, end of life systems, and cloud services.
- Also, whether systems are hosted internally or externally describe this profile as well.
- Here, risk increases as the number and variety of delivery channels increase.
- This is where it is specified if products/services are available through online and mobile delivery channels, and even ATMs.
Online/Mobile Products and Technologies Services:
- Different products and services have different levels of risk depending on what that service or product encompasses.
- With that, there are several payment services in this category to consider, like credit cards, debit cards, person to person payments, wholesale payments, and wire transfers.