Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective

Tick, tock, tick, tock… Admiral Rogers’s warning is chilling: A major cyberattack against U.S. critical infrastructure is simply a matter of time. Cybersecurity risk management has been a top priority for financial institutions, their boards of directors and their regulators for some time. In June 2015, the Federal Financial Institutions Examination Council (FFIEC) released the cybersecurity assessment tool (the Assessment) to help financial institutions identify their cyber risks and determine their cybersecurity maturity and preparedness. The assessment tool will be used during federal agency examinations with the intent of collecting data across industry peers for the purposes of benchmarking and to support examination conclusions.

The FFIEC Assessment was designed to complement the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security, released in February 2014. Since its release, the NIST framework has quickly become the U.S. standard for institutions aiming to assess their cybersecurity maturity and reduce risk to their critical infrastructure. The FFIEC Assessment supplements the popular NIST framework with guidance specific to federally supervised financial institutions.