Much Ado About Nothing: Update to the FFIEC Cybersecurity Assessment Tool Barely Worth a Mention

When the FFIEC announced an update to Cybersecurity Assessment Tool last month, my team and I dug in ready to assess the changes.

There’s not much to report. The change barely even registers a blip on the preverbal radar.

None of the cybersecurity risks or maturity declarative statements changed. The cybersecurity maturity evaluation process added the ability to answer ‘yes with compensating controls’ and some additional references were provided for Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook. It’s a blink-and-you’ll-miss-it adjustment—but it took a team of three experts scouring the 137-page guidance document to ensure we weren’t missing anything.

  • The change, minor though it may be, has already been implemented into Ncyber. That means FIs using the product not only didn’t have to waste time understanding this minuscule change, but when they next review the tool, it will be easy to see if the edits to the question impact their institution’s cybersecurity assessment.

    It’s all about keeping pace. When it comes to regulators, regulation, laws, and guidance, it’s essential to be thorough. Our team of experts speak fluent legalese and dig through every change to see if adjustments need to be made to any of our products—or in the guidance and analysis we provide our clients.

    Whatever you do to analyze new regulatory output, make sure it’s done regularly by someone with the knowledge to understand what it all means. Avoid the risk of misinterpretations when translating legalese into plain English.