Skip to main content

5 Steps to Ace the FFIEC Assessment

Financial institutions are a rich target for cybercriminals, who scoop up sensitive personal information that allows them to open fake accounts and fraudulent lines of credit. According to research from services firm Accenture and the Ponemon Institute, the average annualized cost of cybercrime to financial institutions exceeds $18 million.

Take Capital One as an example. In an August 2020 settlement with federal regulators, the bank agreed to pay $80 million in penalties stemming from its 2019 cyberattack. The data breach compromised 100 million accounts, exposing personally identifiable information (PII) of U.S. and Canadian consumers, including 140,000 Social Security numbers, a million Canadian Social Insurance numbers, and 80,000 bank account numbers, along with names, addresses, credit scores, and other private and sensitive information.

There are plenty of other examples of similar breaches. Here are some of the most eye-catching ones:

  • First Horizon had to reimburse customers whose accounts were hacked in April 2021 by cybercriminals. The hackers used previously stolen credentials and exploited a vulnerability in third-party security software. In a report to the Securities and Exchange Commission (SEC), the bank said fewer than 200 customers were affected and the hackers stole less than $1 million in total.
  • One of Chile's largest banks had to shut down all its branches after being hit with the REvil ransomware in September 2020. Experts believe the attack started with a malicious Microsoft Office attachment sent to an employee to create a backdoor into the company's network.
  • At least two class-action lawsuits were filed in two different states against U.S. Bancorp for a data breach after a server was stolen in July 2020 from the company's corporate office. The server contained nonencrypted PII of an undisclosed number of customers.

Threat actors targeting financial services are now highly organized and well-resourced. As Jamil Jaffer, founder and executive director of George Mason University's National Security Institute, noted in his testimony to U.S. Congress, “State-sponsored hacking is the biggest threat to our financial sector because of the capacities that they can bring to bear."

A look at financial institution buildings late at night.

In 2020, the financial sector experienced the fourth-highest number of data breaches across 20 industries, Verizon's 2021 Data Breach Investigations Report shows. Separately, security researchers saw a 238% jump in cyberattacks on banks in 2020. Although they attributed that surge to COVID-19, earlier reports already showed that financial services may be experiencing 300 times more cyberattacks per year than other companies.

In response to the high threat levels, the Federal Financial Institution Examination Council (FFIEC) has provided firms with a Cybersecurity Assessment Tool (CAT), a framework to take stock of a financial institution's cybersecurity preparedness. This tool has quickly become the standard baseline to assess the cybersecurity maturity of financial firms.

The FFIEC requires all companies under its purview to complete a robust assessment program. Using the one the council provides is not required, but it makes good sense.

What is the FFIEC Assessment?

The FFIEC introduced the CAT in May 2017, following a 2014 pilot by member institutions that assessed their preparedness to mitigate cyber risks. The premise behind the assessment is that “cybersecurity needs to be integrated throughout an institution as part of enterprise-wide governance processes, information security, business continuity, and third-party risk management," the FFIEC explains.

The goal is for financial institutions to manage both internal and external threats and vulnerabilities and protect their IT infrastructure, data, and information assets.

According to the FFIEC, CAT is designed to provide a repeatable and measurable process that evaluates readiness, and should be used on an organization-wide basis, primarily when introducing new services and products.

How to Pass the FFIEC Assessment

CAT is a comprehensive assessment of every aspect of cybersecurity. To get your organization to the level where you can pass the assessment, take these five steps.

Step 1: Get the Whole Firm Involved

This step helps evaluate your organization's inherent risk profile based on five risk areas:

Technologies and connection types: Complexity, maturity, connections, and other factors impact the level or risk that different technologies pose. For example, unsecured wireless connections are inherently risky, and the larger their number, the higher the risk.

 Delivery channels: These range from online and mobile channels to automated teller machines. A higher number and variety contribute to higher risk.

Online/mobile products and technology services: Examples include payment services, remote deposit capture, and retail wire transfers.

Organizational characteristics: Whether it's mergers and acquisitions, the number of privileged access users, or the number of cybersecurity contractors and employees, these and other factors impact risk levels across the entire organization.

External threats: This category takes into consideration the volume of attacks, along with their sophistication—both of which have been growing.

During this evaluation process, collaboration among all departments and functions is vital. A single department can't cover each element of the full 59-page assessment. Engage key personnel across all departments to create a comprehensive and accurate view of the institution.

a closeup of a line of lock boxes inside a bank

Step 2: Evaluate Cybersecurity Maturity in Five Domains

This step involves assessing the organization's maturity in five cybersecurity domains:

Cyber risk management and oversight: The focus is on activities of the board of directors, tasked with developing and implementing an effective cybersecurity program, including aspects such as governance, resource allocations, cybersecurity culture, and training.

Threat intelligence and collaboration: These are the processes used to discover, monitor, analyze, and understand the threats, including effectively sharing information with internal stakeholders and outside parties.

Cybersecurity controls: The practices and processes for protecting data, assets, and infrastructure are divided into three categories:

  • Preventative (to deter attacks).
  • Detective (to identify vulnerabilities and threats).
  • Corrective (to remediate and resolve those threats).

External dependency management: This domain looks at connections and relationships with third parties, such as vendors, suppliers, and partners.

Cyberincident management and resilience: The final domain evaluates the ability to plan for and respond to incidents, as well as recover operations.

With this information in hand, you should analyze your organization's security gaps and improve your compliance process. This step also builds up to the next one—understanding where your organization stands on the maturity scale.

Step 3: Reassess Your Risk Profile and Maturity

The FFIEC uses a five-level scale to help organizations measure where they stand on the maturity spectrum:

·       Baseline: Fulfilling minimum expectations required by law and regulations.

·       Evolving: Adding another level through documented procedures and processes not required by law.

·       Intermediate: Incorporating detailed, consistent, and formal risk-management processes.

·       Advanced: Integrating cybersecurity practices across all lines of business and automating risk management.

·       Innovative: Driving new tools or controls by innovating across people, technology, and processes—not only for the organization but also for the industry.

Organizations that do well using CAT to achieve a mature cybersecurity assessment may feel that keeping things as-is will suffice the following year. All too often, that's not the case. In areas where you do well one year, you may not pass the assessment the following year.

Factors that can lead to inconsistent performance may include internal changes, new cybersecurity threats, lack of resources, and business changes such as organizational growth or new business models.

The FFIEC expects management to review the company's inherent risk profile in relation to the cybersecurity maturity results for each of the five domains to gauge their alignment. Profile and maturity levels typically change over time as threats, vulnerabilities, and operational environments change. That means you need to constantly reevaluate in light of new threats, new products or services, and new connections.

Step 4: Use the CAT Assessments to Ask Key Questions

CAT offers you the opportunity to answer key questions about cybersecurity, so you can then address the gaps in readiness. Questions to consider include:

·       Is your organization a direct target of attacks?

·       Does your institution's cybersecurity preparedness receive an appropriate level of time and attention from executive management or an appropriate board committee?

·       Are you allocating adequate resources, such as staffing, tools, and budget, to ensure your resources and staff expertise align to the level of risk?

·       Do you have a consistent program that audits the effectiveness of your main controls?

·       What is the ongoing process for gathering, monitoring, analyzing, and reporting risks?

·       Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology?

·       What third parties does the institution rely on to support critical activities?

·       What is the process to oversee third parties and to understand their inherent risks and cybersecurity maturity?

·       What kind of planning and testing activities do you have in place for ensuring you can effectively respond to incidents and improve overall resilience?

Step 5: Use CAT to Inform Your Cybersecurity Strategy

CAT is not just an assessment—it's a framework to help you improve your company's resilience and ward off attacks. Where the maturity levels don't match the inherent risk profile, you can develop a strategy for getting a better score next time, which, of course, also helps protect the institution.

The FFIEC recommends that financial firms:

·       Determine target maturity levels to ensure they align appropriately with the level of risk.

·       Conduct a gap analysis to drive process improvements based on the current vs. targeted maturity level.

·       Prioritize and plan actions to decide which steps will have the highest impact in improving cybersecurity readiness.

·       Implement changes and put the strategy into action across each domain.

·       Reassess readiness periodically to drive further improvements

·       Communicate the results and keep the board and the executive leadership fully informed about progress.

Where to Find Help for FFIEC Requirements

Meeting the FFIEC requirements is especially important in today's business and cybersecurity landscape. As cybercriminals find new ways to exploit weaknesses in the financial sector, tools proliferate, and the banking infrastructure becomes more interconnected, the financial, reputational, operational, and legal risks will continue to grow.

For financial institutions that have limited resources or in-house expertise, complying with FFIEC requirements can be a challenge, especially as their infrastructure become more complex. Arctic Wolf can help you implement a strategy that covers all five of the FFIEC cybersecurity domains.

Learn more about the specific ways Arctic Wolf can help you improve your readiness and address the FFIEC requirements.