Risky Business: The FFIEC Cybersecurity Assessment Tool

To assist financial entities in gaining a clear picture of risk and the maturity of cybersecurity programs in place, the Federal Financial Institutions Examination Council (FFIEC) has created the FFIEC Cybersecurity Assessment Tool (Assessment).

The intent of the Assessment is to help financial institutions assess risk across delivery channels, connection types, external threats, and organizational characteristics to enable reliable, measurable, and risk-driven security management.

Aligned with the FFIEC IT Handbook, the NIST Cybersecurity Framework, and other industry best practices, the Assessment is conducted in two parts:

  1. Inherent risk profile – organization’s risk before implementing controls
  2. Cybersecurity maturity – identifying controls and practices in place

Maturity is measured across the following five domains:

  1. Cyber risk management and oversight
  2. Threat intelligence and collaboration
  3. Cybersecurity controls
  4. External dependency management
  5. Cyber incident management resilience

With the use of the Assessment, an organization can identify risk factors, assess cybersecurity preparedness and how it aligns with identified risks, develop or enhance controls, and set a standard for measurable, repeatable results. This increased oversight can help stakeholders take proactive steps to improve cybersecurity and risk management strategies.