As expected, the Federal Financial Institutions Examination Council, on behalf of its members, released a Cybersecurity Assessment Tool to help institutions identify their risks and assess their cybersecurity preparedness.
Financial institutions of all sizes may use the tool and other methodologies to perform a self-assessment and update their risk management strategies. The release of the Cybersecurity Assessment Tool follows last year's pilot assessment of cybersecurity preparedness at more than 500 institutions. The FFIEC plans to update the assessment tool as threats, vulnerabilities, and operational environments evolve.
In addition to the assessment, the FFIEC also made available other resources, including an executive overview, a user's guide and an online presentation explaining the assessment. It also provided appendices mapping the assessment's baseline maturity statements to the FFIEC Information Technology Examination Handbook, mapping all maturity statements to the National Institute of Standards and Technology's Cybersecurity Framework and providing a glossary of terms.
FFIEC members are encouraginged institutions to comment on the assessment through an upcoming Paperwork Reduction Act notice in the Federal Register. A spokesman said the NCUA will encourage credit unions to use this tool and the agency will be sending a letter to credit unions in the near future with more detail.
In March, the FFIEC provided an overview of its 2015 cybersecurity priorities, which included work streams and a self-assessment tool. Industry observers have said this is a precursor to issuing cybersecurity guidance.
The priorities grew out of last year's pilot assessment of cybersecurity readiness at more than 500 financial institutions, conducted by state and federal regulators during regularly scheduled examinations. The information pilot effort helped assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks.
"The FFIEC created a task force focused on cybersecurity as a result of all the breaches and cyberattacks," Jackie Marshall, director of IT regulatory compliance for Gladiator Technology, a part of the Dallas-based ProfitStars, a Jack Henry Company, said. "It wanted to see where institutions were in their strategy in terms of cybersecurity."
Tyler Leet, director of risk and compliance services at the Paducah, Ky.-based CSI, added, "They wanted a better understanding of where community financial institutions stood with their cybersecurity posture and the controls they had in place, and areas they think need to be improved."
In November 2014, the FFIEC, on behalf of its members, released observations from the cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center. The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.
It found that boards and senior executives knew very little about the risks to their organizations in regards to cybersecurity.
"They told institutions to do a self-assessment and detailed analysis so the board would understand what their risks are and what needs to be done," Marshall explained
"Rapidly evolving cybersecurity risks reinforce the need for all institutions and their critical technology service providers to have appropriate methods for obtaining, monitoring, sharing and responding to threat and vulnerability information," the FFIEC said. "Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
