InfoSight Spotlight: FFIEC Cybersecurity Assessment Tool

In this week’s InfoSight newsletter, credit unions are reminded of the Federal Financial Institutions Examination Council’s June 2015 launch of the Cybersecurity Assessment Tool to help institutions identify their risks and assess their cybersecurity preparedness. NCUA encourages all credit unions to use the FFIEC tool to manage cyber security risks. While the use of the […]

In this week’s InfoSight newsletter, credit unions are reminded of the Federal Financial Institutions Examination Council’s June 2015 launch of the
Cybersecurity Assessment Tool to help institutions identify their risks and assess their
cybersecurity preparedness. NCUA encourages all credit unions to use the FFIEC tool to manage cyber security risks. While the use of the tool is not mandatory, NCUA examiners are incorporating the tool into their examination process.

The Assessment consists of two main components; the Inherent Risk Profile and the Cybersecurity Maturity. The Inherent Risk Profile helps the institution understand how their products and services contribute to the institution’s overall inherent risk and whether specific categories pose more risk than others. The Cybersecurity Maturity component contains assessment factors and individual declarative statements across five main domains to identify specific controls and practices. While management can determine the institution’s maturity level in each area, the Assessment is not designed to identify an overall cyber security maturity level.

Before beginning the assessment the FFIEC provided an overview of the tool for senior management to review as well as a user’s guide. To complete the Assessment, the credit union first assesses the institution’s Inherent Risk Profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

Management then evaluates the institution’s cybersecurity Maturity Level for each of the five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

By reviewing both the institution’s inherent risk profile and maturity levels across the domains, management can determine whether its maturity levels are appropriate in relation to its risk. If not, the institution may take action either to reduce the level of risk or to increase the levels of maturity. This process is intended to complement, not replace, an institution’s risk management process and cyber security program.

To read the full InfoSight newsletter, click here.

Written by
admin
View all articles

About Us

The League of Southeastern Credit Unions & Affiliates represents 342 credit unions in Alabama, Florida and Georgia, with a combined total of $118.63 billion in assets and more than 10.1 million members. LSCU & Affiliates provides legislative and regulatory advocacy; education and training; cooperative initiatives (including financial education outreach); public messaging; information services; and business solutions.

LSCU Mission Statement

To create an environment that enables credit unions to grow and succeed.

LSCU Vision Statement

To be the trusted advocate and preferred source of information for credit unions.

If you need to reach us, e-mail communications@lscu.coop

Social Channels

Follow us on all major social media platforms.