There has been a significant rise in the number and complexity of Cybersecurity threats over the last several years in the financial services industry.

Institutions have been in need of a tool that can aid in identifying all the different risk types and how to develop a plan to be prepared for this continuously growing number of threats. 

Finally, a tool has been developed for these intuitions, especially for Credit Unions.  The Federal Financial Institutions Examination Council (FFIEC) has designed and developed an assessment tool called the FFIEC Cybersecurity Assessment Tool (CAT)

This tool encompasses security controls to identify the possible risks, assess the current plan, and evaluate the plan against the risks.  It also defines the proper controls to improve and mitigate the risks and communicate the improved plan with the institution.  The main purpose of this tool is to give insight to the Institution’s Management team on how to maintain, but also to continually improve the overall security against Cyber threats.

“FFIEC Cybersecurity assessment is a critical component of every examination. The examiners expect both documentation and technical responses according to ACET. ACET is aligned with FFIEC CAT. Automating both ACET and FFIEC CAT for the entire credit union has been critical in maintaining compliance. 

Credit unions with $1B AUM or less need to quickly automate FFIEC before requirements become too burdensome to manage. The maturity and risk levels help in right-sizing the effort however to effectively manage risk, automation has been the key.” Lisa Williamson, Chief Risk Officer at Bayer Heritage Credit Union

So, you may be asking how do you implement the FFIEC CAT within your organization? Well, there are two main parts:  Inherent Risk Profile, which includes risk profiles and levels; and Cybersecurity Maturity, which entails different domains and maturity levels. 

What Is FFIEC: Inherent Risk Profiles

A. Risk Profiles

a. Technologies and connection types
b. Delivery Channels
c. Online/Mobile Products and Technologies Services
d. Organizational Characteristics
e. External Threats

Technologies and Connection Types:

  • This profile illustrates how particular connections add higher risk than other connections, based on characteristics like complexity and the function of the technology the connection is used for. 
  • This includes the number of personal devices, unsecured connections, Internet service providers, network devices, end of life systems, and cloud services. 
  • Also, whether systems are hosted internally or externally describe this profile as well.

Delivery Channels:

  • Here, risk increases as the number and variety of delivery channels increase. 
  • This is where it is specified if products/services are available through online and mobile delivery channels, and even ATMs.

Online/Mobile Products and Technologies Services:

  • Different products and services have different levels of risk depending on what that service or product encompasses.
  • With that, there are several payment services in this category to consider, like credit cards, debit cards, person to person payments, wholesale payments, and wire transfers. 

Organizational Characteristics:

  • This considers items like mergers and acquisitions, the number of direct employees, Cybersecurity contractors, and users with privileged access.  Also, it looks for changes in the security of IT staffing and the different locations of the operation/business and data centers.

External Threats:

  • This profile relates to the volume, sophistication (complexity), and type of threat attack against your institution.

B. Risk Levels

a. Least inherent risk
b. Minimal inherent risk
c. Moderate inherent risk
d. Significant inherent risk
e. Most inherent risk

Least Inherent Risk:

  • This level has limited use of technology.
  • There are no connections, few computers, few applications and few systems.
  • Also, there are few employees and the environment is quite small. 

Minimal Inherent Risk:

  • Here, there is limited complexity as far as technologies. 
  • There is little variety of less risky technological services/products.
  • Most critical systems are outsourced only.
  • There are few connection types to customers and third parties.

Moderate Inherent Risk:

  • Substance and sophistication of technologies are more complex at this risk level. 
  • Some critical systems and applications are outsourced, and some aspects are internally hosted.
  • There is a more diverse collection of products/services offered through diverse channels.

Significant Inherent Risk:

  • This has complex technologies in regards to scope and sophistication. 
  • Many new technological developments are defined at this risk level.
  • There are a large number of personal devices and connections to customers/third parties. 
  • Additionally, there are a variety of payment services which correlates to a high level of transactions.

Most Inherent Risk:

  • This has extremely complex technologies. 
  • Emerging and newly developed technologies are spread across multiple delivery channels. 
  • Most critical systems are hosted internally within this risk level. 
  • Also, a large volume of connection types transfer data with customers and third parties.

 What Is FFIEC:  Cybersecurity Maturity

After the inherent risk profile is completed, the next part of the CAT is to define the maturity for each of the domains.  There are a total of 5 domains within the FFIEC Cybersecurity Maturity Model.

5 Domains:

Within each domain, there are assessment factors, contributing components, and information that supports each assessment factor for that maturity level.

Domain 1:  Cyber Risk Management and Oversight

Governance

  • This includes oversight, strategies, policies, and IT asset management.

Risk Assessment

  • This includes a risk management program, risk assessment process, and audit function to manage risks, and to simultaneously make a clear assessment of the efficiency of key controls.

Resources

  • This involves staffing, tools, budgeting, and processes to ensure that the staff has the appropriate knowledge and experience for the institution based on their risk profiles.

Training and Culture

  • This includes employee training and customer awareness programs for threat mitigation.

Domain 2:  Threat Intelligence and Collaboration

Threat Intelligence

  • This refers to the acquisition and analysis of information to assess Cyber capabilities to improve the decision-making process.

Monitoring and Analyzing

  • This explains how an institution monitors, identifies and analyzes threats from their respective threat sources.

Information Sharing

  • This encompasses establishing relationships with others and sharing knowledge through forums and blogs to understand how threat information is communicated.

Domain 3:  Cybersecurity Controls

Preventative Controls

  • These are controls that help deter and prevent Cyber attacks through the use of infrastructure management, access management, endpoint security, and secure coding application.

Detective Controls

  • This includes threat and vulnerability detection, event detection, and heuristic behavioral analysis to detect anomalies.

Corrective Controls

  • These controls are used to resolve vulnerabilities through patch management and remediation through the use of vulnerability scans and penetration testing.

Domain 4:  External Dependency Management

Connections

  • This incorporates identification, monitoring, and management of eternally flowing connections and data to third (3rd) parties.

Relationship Management

  • This component includes concepts like due diligence, contracts, and continuous monitoring to assure that the controls are in alignment with the program pertaining to the institution’s Cybersecurity program.

Domain 5:  Cyber Incident Management and Resilience

Incident Resilience Planning and Strategy

  • This involves disaster recovery and business continuity plans to ensure minimal downtime, service disruptions and data loss.

Detection, Response, and Mitigation

  • This refers to the actions to be taken in order to identify, prioritize, and respond to, with the mission of complete mitigation.  This includes all external and internal threats and vulnerabilities.

Escalating and Reporting

  • This ensures key members, like board members and stakeholders, are informed about the impact of Cyber incidents.

Now that an overview of the 5 domains has been explained, let’s discuss the 5 maturity levels that are defined in each of the domains.

5 Maturity Levels:

  • Baseline
  • Evolving
  • Intermediate
  • Advanced
  • Innovative

Baseline

  • This maturity is characterized by minimum expectations required by law and regulations for compliance-driven items.

Evolving

  • This includes documented procedures and policies that are not already required.
  • Also, risk-driven objectives are in place for accountability in not only customer data protection, but also for information systems and assets.

Intermediate

  • This is characterized by detailed, formal processes where controls are validated and consistent for risk-management practices.

Advanced

  • In advanced maturity, the most common of the risk-management processes are automated and include continuous process improvement.

Innovative

  • Innovative maturity involves developing new controls, new tools, or creating new information-sharing groups.
  • Also, this level includes real-time, predictive analytics for automated responses.

 

What is FFIEC: Completing Cybersecurity Maturity

  • Each domain and maturity level has a set of declarative statements organized by the assessment factor.
  • To assist the institution’s ability to follow common themes across maturity levels, statements are categorized by components.
  • The components are groups of similar declarative statements to make the Assessment easier to use.

The Management Team decides which declarative statements are best for the current practices of the institution. Most importantly, all declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.  Management may even determine that a declarative statement has been sufficiently sustained based on proven results.

What is FFIEC: Interpreting and Analyzing the Cybersecurity Assessment

Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether or not they are aligned.

In general, as an inherent risk rises, an institution’s maturity levels should increase. An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change.

Thus, management should consider reevaluating its inherent risk profile and Cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.

If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing the inherent risk or develop a strategy to improve the maturity levels.  This includes:

✓ Determining target maturity levels
✓ Conducting a gap analysis
✓ Prioritizing and planning actions
✓ Policy Management
✓ Implementing changes
✓ Reevaluating over time
✓ Communicating the results

By using maturity levels in each domain, management can identify potential actions that would increase their Cybersecurity program. Also, on a much larger scale and big picture planning, they can review the declarative statements at maturity levels that their institution could potentially attain to determine the actions needed to improve and implement changes for the more vulnerable areas.

If you have any questions about how Ignyte and our FFIEC compliance software and tools can help your organization, please feel free to contact us to request a free FFIEC compliance consultation with our cybersecurity specialists.