Otto background

The FFIEC Cybersecurity Assessment: Is It Worth Taking?

In 2017, financial services companies lost $16.8 billion to cybercriminals. While the typical American business gets attacked about 4 million times per year, FinServ organizations get hit over a billion times per year - approximately 30 attacks per second. The number of breaches has tripled in the past five years, and financial services firms pay more for cybersecurity attacks than any other industry.

These statistics make it clear that cybersecurity is a pressing concern for the financial services industry. Unfortunately, there is no “one size fits all” approach. The best cybersecurity strategy for one organization may not be right for a company with a different size, operating model, maturity level, innovation agenda, or risk threshold.

Enter the Federal Financial Institutions Examination Council (FFIEC)

The Federal Financial Institutions Examination Council, or FFIEC, was created to help financial services organizations “prescribe uniform principles, standards and report forms… to promote uniformity in the supervision of financial institutions.” The Council also offers information and resources to both consumers and financial institutions related to government programs and concerns.

The FFIEC takes cybersecurity seriously. The council provides a long list of assets for FinServ institutions that includes a resource guide and individual statements on specific threats including cyberattacks involving extortion, destructive malware, and compromising credentials. The FFIEC’s most comprehensive resource on cybersecurity is its Cybersecurity Assessment Tool.

The FFIEC developed the Cybersecurity Assessment Tool to “help institutions’ management identify their risks and determine their cybersecurity preparedness.” According to the FFIEC, the voluntary assessment process helps to:

  • Identify factors that contribute to and determine the institution’s overall cyber risk.
  • Assess the institution’s cybersecurity preparedness.
  • Evaluate whether the institution’s cybersecurity preparedness is aligned with its inherent risks.
  • Determine risk management practices and controls that are needed or require enhancement and actions to be taken to achieve the desired state.
  • Inform risk management strategies.

How does the FFIEC Cybersecurity Assessment Tool work?

The FFIEC recommends that financial services organizations that are interested in taking the assessment start by reading the Overview for Chief Executive Officers and Boards of Directors. This high-level document explains the benefits of using the assessment, roles, and responsibilities for the CEO and the Board, and the parts and processes of the assessment tool.

Next, the FFIEC asks that FinServ organizations read the user’s guide. A more comprehensive look into the Cybersecurity Assessment Tool, the user’s guide includes information on its background, how and when the tool should be used, and more details on its two primary components: the Inherent Risk Profile and Cybersecurity Maturity modules.

Part 1, the Inherent Risk Profile, seeks “to understand how each activity, service, and product contribute to the institution’s inherent risk and determine the institution’s overall inherent risk profile and whether a specific category poses additional risk.” It assesses factors including technologies and connection types; delivery channels; online/mobile products and services; organizational characteristics; and external threats to determine an overall inherent risk profile. Risk profiles are organized into five levels, ranging from Least Inherent Risk to Most Inherent Risk, designated by each organization’s responses.

Part 2, the Cybersecurity Maturity portion of the FFIEC’s assessment tool, determines the financial services institution’s maturity level across five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

Organizations respond by identifying which statements in each category most closely resemble their own operations, and are then assigned one of five maturity levels, from Baseline to Innovative.

Finally, participants interpret and analyze assessment results “to understand whether the institution’s inherent risk profile is appropriate in relation to its cybersecurity maturity and whether specific areas are not aligned.” The Cybersecurity Assessment Tool documentation is clear that “there is no single expected level for an institution” but that it’s important to understand and weigh the relationship between each org’s risk profile and maturity level.


Source: FFIEC Cybersecurity Assessment Tool User’s Guide

Should you take the FFIEC Cybersecurity Assessment?

Short answer: yes. The tool is relatively quick and straightforward, especially given that a government agency created it, and can provide some strong insight into your organization’s risk and maturity levels. It would be nice if it were automated, but paper works fine, too. While it does not provide all the answers to the cybersecurity problem, the tool does help identify areas of vulnerability or opportunity and puts your institution’s specific circumstances into perspective against the rest of the industry and the cybersecurity challenges at large.

Take the FFIEC Cybersecurity Assessment.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.