Blog: FFIEC

This article was updated on August 28, 2019. See below for the updates.

What is the FSSCC Cybersecurity Profile?

The FSSCC Cybersecurity Profile was published on October 25, 2018 by the Financial Services Sector Coordinating Council (FSSCC). The FSSCC is a private entity comprised of 70 members from financial services organizations. Their cybersecurity profile has multiple tiers, which allow users to answer a scalable set of questions. This scaling is designed to provide an expedited assessment of the user's organization's cybersecurity preparedness.

The FSSCC has publicized their Cybersecurity Profile as a resource, designed to simplify the regulatory burden placed on financial institutions. According to the FSSCC's Benefits to Financial Institutions section of their website, the tool offers a "73% reduction for community institution assessment questions" when compared to the FFIEC CAT.

In addition to the tool's claims of efficiency, the tool's development is largely credited to organizations familiar to the financial services industry. The Press Release includes names such as the American Bankers Association, Bank Policy Institute, the Institute of International Bankers, and more.

Beyond this, the FSSCC has made multiple appeals to the Cybersecurity Profile's usefulness in regulatory examinations, going so far as to claim, "The numerous and substantial benefits [of using the FSSCC Cybersecurity Profile] to the financial services sector are: […] Supports tailored supervision, examinations, and collaboration among state, federal, and international supervisors," per the FSSCC Overview and Users Guide.

What is the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool (CAT) was initially published on June 30, 2015, and updated May 31, 2017. The CAT was designed by the Federal Financial Institutions Examination Council (FFIEC), a formal interagency body, comprised of members from the FRB, FDIC, NCUA, OCC, CFPB, and SLC. The CAT is standardized, which allows users to answer a specific set of questions, designed to provide a thorough assessment of their organization's cybersecurity preparedness.

The FFIEC CAT includes 494 cybersecurity maturity statements, which has resulted in some complaints. However, it is not only designed to provide a detailed assessment of a financial institution's current state of cybersecurity preparedness, it also enables targeted and long-term planning for growth and improvement.

With regard to examinations:

• The FDIC continues to heavily rely on the InTREx Work Program. While InTREx does state financial institutions are not required to use the FFIEC CAT to assess cybersecurity preparedness, the program also states FDIC examiners will reference the CAT's Appendix A when performing examinations.

• The NCUA is currently implementing the Automated Cybersecurity Examination Tool (ACET). The ACET is based on the FFIEC CAT, with a document request list to help credit unions understand, gather, and organize the documents needed for the examination. Read our blog on FAQs about the ACET

• In their Spring 2018 Semiannual Risk Perspective, the OCC announced they had "implemented the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) into its examination process." In addition, an OCC representative at the 2019 CoNetrix KEYS Conference Examiner Panel indicated the OCC is piloting their own segmented version of the FFIEC CAT, to be fully completed on a three-year cycle.

August 2019 Update: In July 2019, the OCC replied to a comment from the FSSCC in the Federal Register. The FSSCC asked the agencies to "make a clear statement that other methodologies, such as NIST Cybersecurity Framework and the FSSCC Cybersecurity Profile, are acceptable inputs into the examination process." The OCC replied that financial institutions "may choose to use the [FFIEC CAT], the NIST Cybersecurity Framework, or any other risk assessment process or tool to assess cybersecurity risk."

• The FRB's supervisory letter about the tool, SR 15-9, indicated the CAT's planned use in examinations, and the FRB was a contributor in the May 2017 update of the tool, per their 2017 Annual Report. Additionally, a list of Information Technology Guidance was published, including the FFIEC CAT as a "Policy Letter."

Will the FSSCC Cybersecurity Profile Replace the FFIEC Cybersecurity Assessment Tool?

While the FSSCC Cybersecurity profile has fewer questions, and the FSSCC has expressed interest in seeing the tool used during regulatory examinations, the federal banking agencies have not yet expressed the same interest.

In addition, while completing the FFIEC CAT is not required, four years into the CAT's implementation, examiners are now familiar with the tool and the agencies continue to supplement and reference the CAT in their own examination programs. In light of this, using the CAT to assess cybersecurity preparedness could help expedite the examination process, as the tool may be used during an exam.

At this point in time, it is not clear what the future holds for the FSSCC Cybersecurity Profile. Due to the thorough nature and widespread adoption of the FFIEC CAT, it is difficult to imagine the CAT will be replaced by any tool in the foreseeable future.

August 2019 Update: In August 2019, the FFIEC published a press release encouraging a standardized approach to assessing cybersecurity preparedness. While the press release lists the FFIEC CAT, NIST Cybersecurity Profile, Center for Internet Security Controls, and FSSCC Cybersecurity Profile as references to "support institutions in their self-assessment activities," the press release reiterates that "the FFIEC does not endorse any particular tool" and the "tools are not examination programs."

Does CoNetrix have anything that can help with assessing cybersecurity preparedness?

Yes. The Tandem Cybersecurity module took the FFIEC CAT PDF content and streamlined it into an easy-to-use web-based application. With email reminders, charts and graphs, presentation documents, optional peer comparison, and tools for the NCUA's ACET, you can put the FFIEC CAT to work for you. Get started for free with Tandem Cybersecurity.


 

On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).

 


 

Today the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC IT Handbook, BCP Booklet.  The update included a new appendix entitled Strengthening the Resilience of Outsourced Technology Services.  The appendix highlights and expands on the BCP Booklet in four specific areas: third-party management, third-party capacity, testing with third-party technology service providers, and cyber resilience.  To learn more, visit https://www.ffiec.gov/press/pr020615.htm  

 

The Federal Financial Institutions Examination Council (FFIEC) today launched a web page dedicated to cybersecurity (http://www.ffiec.gov/cybersecurity.htm). The website is designed to be "a central repository for current and future FFIEC-related materials on cybersecurity." [more]

As a part of the Press Release announcing the launch of the cybersecurity web page, the FFIEC also noted the launch of the website "coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations."  According to the press release, the focus of the pilot program will be on:

  1. Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. Service Provider and Vendor Risk Management
  5. Cyber Incident Management and Resilience
The pilot program is expected to last about 4 weeks and include regulators from the FDIC, OCC, Federal Reserve, NCUA, and the States.

 

This month, the New York State Department of Financial Services ("the Department") released results from a survey conducted in 2013 on cyber security.  154 institutions completed the survey, representing 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.  The survey asked questions regarding information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security. [more]

In conclusion, the Department states:

"As part of its continuing efforts in this area, the Department plans to expand its IT examination procedures to focus more fully on cyber security.  The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.  The revised procedures are intended to take a holistic view of an institution's cyber readiness and will be tailored to reflect each institution's unique risk profile.  The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York's financial services industry."

This report comes on the hills of the FFIEC webinar, Executive Leadership of Cybersecurity: What Today's CEO Needs to Know About the Threats They Don't See in which the FFIEC introduced expectations of new examination procedures.

To read the full Report on Cyber Security in the Banking Sector by the New York State Department of Financial Services can be found here - http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf


 

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf


 
 

The Federal Financial Institutions Examination Council (FFIEC) issued an updated Retail Payment Systems Booklet.  The booklet is part of the IT Examination Handbook series and provides guidance to examiners, financial institutions, and technology service providers (TSPs) on identifying and controlling risks associated with retail payment systems and related banking activities.  To download the booklet and associated workprogram, visit http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html


 

The FFIEC released the new Business Continuity Planning (BCP) IT Examination Handbook this month.  The prior BCP IT Examination Handbook was released in March, 2003.  A few new key areas include:

  • Pandemic Planning
  • More emphasis on:
    • Business Impact Analysis (BIA)
    • Risk Assessment
    • Testing

The new BCP IT Examination Handbook has been greatly expanded - to give you an idea, the old BCP booklet (March 2003) was only 57 pages, and the new booklet (March 2008) is 132 pages - more than twice the size - this should also give us an indication of the new importance & emphasis placed on Business Continuity.  

To view the new BCP IT Examination Handbook, go to http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx.  You can also check out our BCP Software offering.