• Search
  • Search

InfoSight Spotlight: FFIEC Cybersecurity Assessment Tool

admin2 min readOctober 21, 2019

In this week’s InfoSight newsletter, credit unions are reminded of the Federal Financial Institutions Examination Council’s June 2015 launch of the Cybersecurity Assessment Tool to help institutions identify their risks and assess their cybersecurity preparedness. NCUA encourages all credit unions to use the FFIEC tool to manage cyber security risks. While the use of the […]

In this week’s InfoSight newsletter, credit unions are reminded of the Federal Financial Institutions Examination Council’s June 2015 launch of the
Cybersecurity Assessment Tool to help institutions identify their risks and assess their
cybersecurity preparedness. NCUA encourages all credit unions to use the FFIEC tool to manage cyber security risks. While the use of the tool is not mandatory, NCUA examiners are incorporating the tool into their examination process.

The Assessment consists of two main components; the Inherent Risk Profile and the Cybersecurity Maturity. The Inherent Risk Profile helps the institution understand how their products and services contribute to the institution’s overall inherent risk and whether specific categories pose more risk than others. The Cybersecurity Maturity component contains assessment factors and individual declarative statements across five main domains to identify specific controls and practices. While management can determine the institution’s maturity level in each area, the Assessment is not designed to identify an overall cyber security maturity level.

Before beginning the assessment the FFIEC provided an overview of the tool for senior management to review as well as a user’s guide. To complete the Assessment, the credit union first assesses the institution’s Inherent Risk Profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

Management then evaluates the institution’s cybersecurity Maturity Level for each of the five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

By reviewing both the institution’s inherent risk profile and maturity levels across the domains, management can determine whether its maturity levels are appropriate in relation to its risk. If not, the institution may take action either to reduce the level of risk or to increase the levels of maturity. This process is intended to complement, not replace, an institution’s risk management process and cyber security program.

To read the full InfoSight newsletter, click here.

Written by
admin
View all articles
Related articles

About Us

The League of Southeastern Credit Unions & Affiliates represents nearly 300 credit unions throughout Alabama, Florida, and Georgia. It has a combined total of almost $200 billion in assets and 12.4 million members. LSCU provides advocacy, compliance services, education and training, cooperative initiatives, and communications.

Social Channels

Follow us on all major social media platforms.