The Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool is already being integrated into regulators' cybersecurity examinations, says financial fraud and cybersecurity expert Avivah Litan, a distinguished analyst at consultancy Gartner.
But the tool has fallen short, she says, causing more confusion than clarity. Litan contends the FFIEC must enhance the tool in 2016. This is just one of the top banking/security trends Litan identifies in an interview with Information Security Media Group.
"In principle, it all started out very well and good," Litan says. "But we have been getting lots of calls from our clients about how the process itself doesn't seem to live up to the spirit of the guidance and the regulation."
The FFIEC issued the tool in July 2015. It was designed to move banking institutions from a mentality of "checkbox" compliance to one of a multilayered risk-based approach, allowing institutions to assess the maturity level of their risk-assessment processes, she explains.
But in spite of the tool's aim to create a platform by which banks and credit unions may take a "hard look" at their own cybersecurity weaknesses, the tool is nothing more than a series of questions that ultimately add up to checkbox compliance, she says.
"It still ends up being a series of yes and no questions within these categories, and there's no room, from what I've been told, to put in any kind of thought and context and text to explain: 'Well, no, we're not compliant in this specific subcategory, and this is the reason we're not; we don't think we need to be,'" Litan explains. "If two out of 10 questions are answered with a 'no,' and eight out of 10 questions are answered with a 'yes,' the whole category is considered a negative for the bank."
What's more, banking institutions have not been provided resources or guidance to help them figure out how to address this concern. Given that it is now a part of regulators' cyber assessment processes, the FFIEC needs to tweak the tool this year, Litan adds.
"I think that what we are witnessing is phase one of this new tool, and hopefully phase two will allow more judgment, more context, and will be accompanied with outgoing and proactive education," Litan says. "There should be working groups and conferences, and I'm not seeing any of that yet."
During this interview, Litan also discusses:
Lessons the FFIEC could learn from the PCI Security Standards Council, where educating the financial community about new regulatory tools and guidance is concerned; Why the EMV chip and PIN debate has quickly become a moot topic in the U.S.; and Why the compromise of personally identifiable information is posing big authentication challenges for banks.Litan, a vice president at Gartner Research, is a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.