The Community Banker Oct. 2015On June 30, 2015, the FFIEC released a new Cybersecurity Assessment Tool.  The tool is designed to help financial institutions, such as banks and credit unions, identify their inherent cybersecurity risk and assess their cybersecurity preparedness.  The release of the tool comes on the cusp of last year's pilot assessment on cybersecurity preparedness at more than 500 financial institutions. 

The FFIEC Cybersecurity Assessment Tool (Assessment) is comprised of the following pdf documents:

  • Overview for Chief Executive Officers and Board of Directors
  • User's Guide
  • Inherent Risk Profile
  • Cybersecurity Maturity
  • Additional Resources

While the Assessment is not required, it is encouraged to help financial institutions perform a self-evaluation of their cybersecurity inherent risk and maturity.  Executive management and board oversight are also a major theme of the tool.   

CEO and Board Responsibilities:

The Assessment puts emphasis on executive and board involvement.  The Overview for CEOs and Boards of Directors document provides suggested roles and responsibilities for the CEO and the board.  Some of the suggested responsibilities include:

  • Approve plans to use the Assessment (Board)
  • Develop a plan to conduct the Assessment (CEO)
  • Lead employee efforts during the Assessment (CEO)
  • Engage management in establishing the institution's vision, risk appetite, and overall strategic direction (Board)
  • Set the target state of cybersecurity preparedness that best aligns to the board of directors' stated risk appetite (CEO)
  • Review, approve, and support plans to address risk management and control weaknesses (CEO)
  • Review and approve plans to address any risk management or control weaknesses (Board)
  • Analyze and present results (CEO)
  • Review management's analysis and determinations of the Assessment results (Board)
  • Oversee ongoing monitoring and changes (CEO)
  • Review results of management's ongoing monitoring (Board)

Inherent Risk Profile

The assessment process primarily consists of two main parts: Inherent Risk Profile and Cybersecurity Maturity.  Inherent risk levels incorporate the type, volume, and complexity of the institution's operations including cybersecurity threats directed at the institution.  Inherent risk does not include mitigating controls and can fall in one of five risk levels ranging from Least to Most inherent risk (Figure 1).  Inherent risk is determined by evaluating 39 questions across five categories.

Cybersecurity Maturity

Once an institution has determined their inherent risk, they can move to evaluate their cybersecurity maturity.  Cybersecurity maturity is determined by answering 494 declarative statements organized into five domains (Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience).  Each declarative statement describes activities supporting assessment factors for each domain.  There are five maturity levels starting at the Baseline maturity level and progressing to the highest maturity, the Innovative level (Figure 2).  To achieve a maturity level in a domain, all declarative statements in that maturity level and previous levels must be attained and sustained.

Interpreting and Analyzing Assessment Results

Once the Inherent Risk Profile and Cybersecurity Maturity results are complete, management can review inherent risk in relation to maturity for each domain to better understand where they align.  In general, as inherent risk increases, maturity levels in each domain should also increase (Figure 3).  If management determines the institution's cybersecurity maturity levels are not appropriate based on the institution's inherent risk, the institution should consider reducing inherent risk or developing a plan to improve cybersecurity maturity.

This new, voluntary self-assessment is intended to complement, not replace, an institution's current risk management and cybersecurity program and process.  It is designed to be completed periodically and/or as significant operational and technological changes occur.

To access the self-assessment or learn more, visit