Federal Financial Regulators Release Cybersecurity Assessment Tool: FFIEC Assessment Tool Provides Repeatable and Quantifiable Process for Financial Institutions to Gauge Cybersecurity Risk and Preparedness

Sullivan & Cromwell LLP - July 10, 2015

On June 30, the Federal Financial Institutions Examination Council (“FFIEC”) released a voluntary Cybersecurity Assessment Tool (“Assessment Tool”) to aid financial institutions in evaluating their inherent cybersecurity risk profile and determining their level of cybersecurity preparedness.  The Assessment Tool provides financial institutions five criteria on which to evaluate their risk profiles:  technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats.  It also provides five criteria for evaluating cybersecurity preparedness, what the FFIEC calls “cybersecurity maturity”: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and response.  Though the FFIEC says that use of the Assessment Tool is optional, the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) have said that it will be discussed or used during examinations of financial institutions.