Will FFIEC Revamp Cyber Assessment Tool?Agency Solicits Comments; Critics Urge Changes
In response to banking institutions' requests for clarification of the Cybersecurity Assessment Tool, the Federal Financial Institutions Examination Council is taking a preliminary step that could lead to refinements.
The FFIEC recently reopened its comment period for the tool, which was issued in July. It's accepting comments through Jan. 15, according to a notice in the Federal Register from the Office of the Comptroller of the Currency, the lead agency for the FFIEC.
The OCC has not yet confirmed whether new comments could lead to refinement of the tool. But critics of the tool claim it doesn't meet banking institutions' cybersecurity needs and are hopeful it will be refined soon.
"As an industry, what we want is a version 2.0 of the assessment tool," says Jeremy Dalpiaz, assistant vice president of cybersecurity and data security policy for the Independent Community Bankers of America.
"From the ICBA's standpoint, we all agree that cybersecurity is a focus for all financial institutions. But I think the tool needs improvement," he says. "One thing our bankers have asked for is that when they account for risk, there is no way, using the tool, to account for mitigating controls. You get to a binary 'yes' or 'no', and we think this is short-changing the compensating controls that institutions have already put in place."
In September, the Financial Services Sector Coordinating Council, whose members include large and midsize U.S. banking institutions, stock exchanges and card networks, as well as banking associations, including the ICBA, sent a letter to the FFIEC requesting that it re-evaluate its tool. Dalpiaz believes that letter was the catalyst for FFIEC's new window for comments.
The FSSCC wants the FFIEC to clarify how it uses the tool during IT examinations. Although the FFIEC originally marketed the tool as a voluntary cyber-risk assessment aid, banking institutions report that regulatory examiners are using the tool as part of their IT examination process, Dalpiaz says.
"If they are using it in an exam, then it's a defacto regulation," Dalpiaz says. "As a result, we've now seen a few states that have come out and said the tool is mandatory. So we want the FFIEC to clarify all of this. And we want to see version 2.0 sooner rather than later."
New York, Texas, Massachusetts and Maine have either specifically mandated use of the Cybersecurity Assessment Tool for compliance with state regulatory guidance or have said that a mandate is on the way, Dalpiaz says.
Beth Dugan, the OCC's deputy comptroller for operational risk, tells Information Security Media Group that the tool is currently being used as part of the examination process, but only as a means of evaluating its efficacy.
"The OCC has started to use the tool as part of our examinations of our national banks and federal savings associations," Dugan notes. "The OCC will leverage the results of examinations using the assessment tool to better measure the risk and assess the preparedness of individual institutions, categories of institutions and the national banking system overall. By analyzing the data gathered during examinations, we will improve our identification of broader trends in cybersecurity preparedness and common control gaps. This information will be used to inform the OCC's supervisory strategies and any future supervisory guidance on cybersecurity."
Cyber Assessment Revisions Expected
Dalpiaz says the FFIEC has been receptive to industry concerns. In the fall, the FFIEC met with representatives from the FSSCC and member institutions to review concerns noted in the Sept. 21 letter. He says he hopes a similar meeting to occur after the Jan. 15 window for additional comments closes.
"We want to work with the FFIEC to continue refining this tool to make it more useful for everyone involved," Dalpiaz says.
In its letter, the FSSCC asks that the FFIEC:
- Clarify and preserve the voluntary nature of the assessment tool;
- Refrain from using the current version of the tool as part of any formal examination processes;
- Collaborate with banking associations and institutions for the next 12 to 18 months to develop version 2.0 of the tool, using a process similar to the approach used to develop the National Institute of Standards and Technology Cybersecurity Framework;
- Ensure that version 2.0 more closely aligns with recommendations noted in the NIST Cybersecurity Framework;
- Ensure that the tool has more objective measures for its assessment of cybersecurity maturity; and
- Outline ways the tool can enable effective boardroom engagement.
Mike Wyffels, chief technology officer of QCR Holdings, a $2 billion company that owns four banking institutions, says the tool feels more like a "checkbox" exercise than an interactive assessment tool. And, like Dalpiaz, he says the tool includes too many black-and-white questions that leave no room for alternative responses.
"Some questions are difficult to answer because you may do some things for a particular question but not others," Wyffels says. "You have to weigh your response to either a 'yes' or a 'no.' Those types of questions require more follow-up and explanation for internal and external audiences to understand the scope with which you do or don't do certain things."
Instead, Wyffels suggests the tool should focus on an institution's cybersecurity maturity and provide guidance about cybersecurity controls that could be implemented based on the institution's overall risk posture. "It would be very interesting to be able to compare an FI's [financial institution's] results to an aggregate benchmark of FIs of similar size and services, to determine gaps that could be evaluated as well," he says.
Conflicts with NIST Framework
Some banking leaders are concerned that certain recommendations in the tool conflict with the National Institute of Standards and Technology's cybersecurity framework, which was released in February 2014.
"The NIST cybersecurity framework came out about a year and a half ago, and CISOs had to explain to their boards how it was to be used and what it meant," Dalpiaz says. "Now we have this Cybersecurity Assessment Tool from the FFIEC, and while it is mapped to NIST, it is not based on NIST, and this has to be explained to the board."
In December, Chris Feeney, president of BITS, the technology policy division of the Financial Services Roundtable, highlighted concerns about the Cybersecurity Assessment Tool's perceived conflicts with the NIST framework.
In a recent interview, Gartner analyst Avivah Litan expressed similar concerns, noting that the tool acts more like a list of requirements than an interactive feature that could help institutions truly assess their current cyber-risk posture.
"In principle, it all started out very well and good," Litan says. "But we have been getting lots of calls from our clients about how the process itself doesn't seem to live up to the spirit of the guidance and the regulation. ... What we are witnessing is phase one of this new tool, and hopefully phase two will allow more judgment, more context, and will be accompanied with outgoing and proactive education. There should be working groups and conferences, and I'm not seeing any of that yet."
In the meantime, Dalpiaz says banking institutions, with the help of the Financial Services Information Sharing and Analysis Center and the FSSCC, have developed their own tool to help assess cybersecurity maturity. The tool, a downloadable file available on the FSSCC website, was designed to help fill the gaps left by the FFIEC's tool, he adds.