The Federal Financial Institutions Examination Council’s (FFIEC) has recently stepped into its role as the leading voice in cybersecurity-related banking regulation, bringing examiners and technology experts from all member agencies together with the expectation that the banking industry will be a leader in cybersecurity maturity and readiness.
In the five years since the passing of Dodd-Frank, FFIEC guidance was given new legitimacy with the addition of the Consumer Financial Protection Bureau (CFPB) to the FFIEC, combined with the mandate of that new organization. These changes have forced other member agencies to enter a new age of cooperation and unified guidance. A complex organization, the FFIEC consists of five member agencies and a committee of state banking and credit union regulators:
Before the FFIEC’s expansion of its role, banks had to manage their relationships with each of these agencies individually. Each agency has a unique mandate, and developed its approach to cybersecurity over the years in accordance with that mandate. Sometimes this resulted in confusing or even conflicting guidance for banks and credit unions, as the agencies and the industry as a whole built their knowledge of cybersecurity in a changing environment.
To help the process of moving an entire industry in the same direction, on June 30th, 2015, the FFIEC released a Cybersecurity Self-assessment Tool (CAT). If you’re familiar with other cybersecurity assessment frameworks, it’s pretty similar to PCI, or COBIT, or any of the other available examples; the CAT is industry-specific and reflects the current understanding of best practices relevant to the systems that support banks and credit unions. It is highly detailed, with over 400 individual considerations organized into 10 categories. It is also highly prescriptive, setting a clear minimum standard for capability maturity and functional requirements. Without a doubt, it is a step in the right direction for banking regulators, and for the industry. The FFIEC’s 10-page user guide can be found here.
Generally, all of the available cybersecurity frameworks (COBIT, PCI, ISO 27001, et cetera) are useful. They each individually help technology leaders develop and maintain a process that measures security risk, and helps drive capabilities improvement. Together, they demand a weight of compliance effort and related manpower that few organizations can easily bear. Cybersecurity and compliance leaders in banks and credit unions will be highly encouraged to complete the new CAT and discuss the results with their lead regulator as a part of their regular exam cycle. Overall, the CAT provides a more comprehensive format for assessing your risks and is backed by an organization that will use it for formal reviews.
What Could Possibly Go Wrong?
At West Monroe Partners, we’re not big believers in scare tactics. We are, however, realistic in our understanding of what companies regularly do with audit-type frameworks and the results of these exercises. If companies treat the framework as a checkbox on their to-do list and don’t follow up on what they learned, then the same effort is required at the next exam cycle and little progress is made for continuous improvement.
To achieve context in using the FFIEC CAT, we recommend understanding its very methodical correlation to the NIST Cybersecurity Framework (see FFIEC CAT Appendix B). Overall, we like the NIST framework better for the purposes of self-assessment. In fact, we like it so much that we have our own customized version of it. We, as a consultancy, serve many industries, and the industry-agnostic approach of NIST’s tool inspired us in creating our framework to add consistency to our assessments. The important point is that, while the CAT has been designed with longevity in mind, because it is prescriptive and detailed, it is time-consuming to complete and difficult for most non-security personnel to understand and consume. The WMP custom tool helps our clients complete the FFIE CAT since this can be difficult for personnel with limited security backgrounds, or teams that are not accustomed to supporting a formal risk management process.
Want to learn more? West Monroe will be hosting a webinar that goes into more detail on these new frameworks on September 29. Please click here to register. In the meantime, let us know if you have any questions or comments below.