Remember when you were in college and had to decide if you’d do the recommended reading for a class? It wasn’t exactly mandatory, but you never knew if that material would show up on a test. You were taking a risk if you chose to ignore it.
Financial institutions run the same risk today if they ignore the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool. Released last year, the assessment tool helps institutions identify their risks and determine their cybersecurity preparedness by providing “a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”
Now the FFIEC has released a Frequently Asked Questions about the assessment tool. While banks and credit unions have been disappointed in the limited amounts of new information in the FAQ, there’s something to be said about how it repeats a common and slightly misunderstood word: voluntary.
The FFIEC continues to say the tool is voluntary, but the truth is the FFIEC itself doesn’t really have much enforcement authority. That’s the domain its members, which is what makes the answer to Question 12, “How are the FFIEC members using this Assessment?,” extremely important.
The answer: “To obtain additional information about a particular FFIEC member’s use of the Assessment, financial institution management should contact its institution’s regulator directly.”
Wait. So the FFIEC says it’s voluntary, but check with your regulator to make sure it’s really voluntary. What do the agencies have to say?
OCC. In a press release announcing the assessment tool last year the OCC said: “While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity. OCC examiners will begin incorporating the Assessment into examinations in late 2015.”
FDIC. In a press release introducing the assessment, the FDIC said using the assessment was “voluntary.” It also noted that “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
Fed. In a supervision and regulation letter last July, the Fed said, “Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”
NCUA. The agency’s website says “NCUA examiners will use the tool as a guide for assessing cybersecurity risks in credit unions. Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide.”
Meanwhile in what may become a trend, the Texas Department of Banking “encourages banks to use the FFIEC Cybersecurity Assessment Tool, as it is the only methodology [for measuring inherent cyber risks and cybersecurity preparedness] specifically designed for the banking industry, particularly community banks.”
That clears it up, doesn’t it? It’s optional, but it may be part of the exam process. You don’t have to study, but the material might be on the test.
So what’s the right thing to do?
However your institution chooses to treat the assessment tool, make sure you seriously consider its implications—and make a strategic decision about its use. You don’t want any surprises come exam time.