In this week’s InfoSight newsletter, credit unions are reminded of the Federal Financial Institutions Examination Council’s June 2015 launch of the
Cybersecurity Assessment Tool to help institutions identify their risks and assess their
cybersecurity preparedness. NCUA encourages all credit unions to use the FFIEC tool to manage cyber security risks. While the use of the tool is not mandatory, NCUA examiners are incorporating the tool into their examination process.
The Assessment consists of two main components; the Inherent Risk Profile and the Cybersecurity Maturity. The Inherent Risk Profile helps the institution understand how their products and services contribute to the institution’s overall inherent risk and whether specific categories pose more risk than others. The Cybersecurity Maturity component contains assessment factors and individual declarative statements across five main domains to identify specific controls and practices. While management can determine the institution’s maturity level in each area, the Assessment is not designed to identify an overall cyber security maturity level.
Before beginning the assessment the FFIEC provided an overview of the tool for senior management to review as well as a user’s guide. To complete the Assessment, the credit union first assesses the institution’s Inherent Risk Profile based on five categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Management then evaluates the institution’s cybersecurity Maturity Level for each of the five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
By reviewing both the institution’s inherent risk profile and maturity levels across the domains, management can determine whether its maturity levels are appropriate in relation to its risk. If not, the institution may take action either to reduce the level of risk or to increase the levels of maturity. This process is intended to complement, not replace, an institution’s risk management process and cyber security program.
To read the full InfoSight newsletter, click here.