FFIEC Sheds Light on Use of Cybersecurity Assessment Tool

Since the Federal Financial Institutions Examination Council released its Cybersecurity Assessment Tool in July 2015, banking institutions have raised numerous questions about how they should use the tool to address risk and whether it should be included as part of IT examinations with federal banking regulators (see Banks to FFIEC: Cyber Tool is Flawed).

In response, the FFIEC has released a "frequently asked questions" guide to help clarify how the council expects the tool to be used, experts from one of FFIEC's five regulatory agencies explain in this in-depth interview with Information Security Media Group.

Tim Segerson, deputy director of the Office of Examination and Insurance at the National Credit Union Administration, acknowledges the tool, which sheds light on regulators' expectations, won't answer every question that banking institutions have about the tool. All of the FFIEC agencies, including the NCUA, the Federal Deposit Insurance Corp., the Federal Reserve Board, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau, reached a consensus on what was most important to include, he explains.

One key point the FAQ reiterates is that use of the Cybersecurity Assessment Tool is not mandatory, nor is its use a required part of the IT examination process, says Wayne Trout, supervisor of critical infrastructure and cybersecurity within the NCUA's Office of Examination and Insurance.

"On the examination process right now, for institutions that have ... actually gone through and completed the assessment tool, examiners are engaging in conversation with those institutions' managers and determining what the institution rated themselves in the inherent risk profile, as well as [how] the institution rates themselves in the maturity portion of the tool," Trout says.

For instance, by talking with credit unions about how they rate themselves in certain categories, Trout says it became clear to NCUA examiners that some institutions had trouble interpreting portions of the tool, such as those related to the use of cybersecurity controls that might be outsourced to a third party.

During this interview (see audio link below image), Segerson and Trout also discuss:

Why the Cybersecurity Assessment Tool has not yet been automated; How the Cybersecurity Assessment Tool aligns with the NIST Cybersecurity Framework; and How the tool could evolve.

At the NCUA, Segerson oversees the operations of the Office of Examination and Insurance and assists the director with implementation of policies related to examinations, supervision and insurance, and guaranty-fund risk management.

Trout, supervisor of critical infrastructure and cybersecurity within the Office of Examination and Insurance, served as an NCUA representatives to the FFIEC Cybersecurity Critical Infrastructure Working Group to assist in developing portions of the Cybersecurity Assessment Tool.