Perform FFIEC Security Risk Assessments with SaaS Tool

With the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) created the Cybersecurity Assessment, to help institutions identify their risks and determine their cybersecurity maturity. The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry accepted cybersecurity practices. The Assessment provides institutions with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.

To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:

• 1️⃣ Technologies and Connection Types
• 2️⃣ Delivery Channels
• 3️⃣ Online/Mobile Products and Technology Services
• 4️⃣ Organizational Characteristics
• 5️⃣ External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:

• 1️⃣ Cyber Risk Management and Oversight
• 2️⃣ Threat Intelligence and Collaboration
• 3️⃣ Cybersecurity Controls
• 4️⃣ External Dependency Management
• 5️⃣ Cyber Incident Management and Resilience

Completing the Assessment

The Assessment is designed to provide a measurable and repeatable process to assess an institution’s level of cybersecurity risk and preparedness. Part one of this Assessment is the Inherent Risk Profile, which identifies an institution’s inherent risk relevant to cyber risks. Part two is the Cybersecurity Maturity, which determines an institution’s current state of cybersecurity preparedness represented by maturity levels across five domains. For this Assessment to be an effective risk management tool, an institution may want to complete it periodically and as significant operational and technological changes occur. Cyber risk programs build upon and align existing information security, business continuity, and disaster recovery programs. The Assessment is intended to be used primarily on an enterprisewide basis and when introducing new products and services. FFIEC assessment helps financial institutions identify their risks and determine their cybersecurity maturity.

The financial institutions includes:

Board of Governors of the Federal Reserve System (FRB)

• 1️⃣ State member banks
• 2️⃣ Bank holding companies
• 3️⃣ Nonbank subsidiaries of bank holding companies
• 4️⃣ Savings and loan holding companies
• 5️⃣ Edge and agreement corporations

Branches and agencies of foreign banking organizations operating in the United States and their parent banks 

Officers, directors, employees, and certain other categories of individuals associated with the above banks, companies, and organizations (referred to as “institution-affiliated parties”)

Federal Deposit Insurance Corporation (FDIC) 
Insured State chartered banks that are not members of the Federal Reserve System (State nonmember banks) 

Insured branches of foreign banks 

Officers, directors, employees, controlling shareholders, agents, and certain other categories of individuals (institution-affiliated parties) associated with such institutions

National Credit Union Administration (NCUA)
Credit unions

Office of the Comptroller of the Currency (OCC)

• 1️⃣ National banks and their subsidiaries
• 2️⃣ Federally chartered savings associations and their subsidiaries
• 3️⃣ Federal Branches and agencies of foreign banks
• 4️⃣ Institution-affiliated parties (IAPs), including (a) Officers, directors, and employees, and (b) A bank’s controlling stockholders, agents, and certain other individuals