CSI Resources

wheel of technology icons

Understanding the New FFIEC Cybersecurity Assessment Tool

  • by Steve Sanders
  • Jul 07, 2015

The long-awaited Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool has arrived. Cybersecurity has been at the forefront of the minds of bankers nationwide for many months now, with no end to the epidemic in sight. Organized crime and even nation-states are targeting financial institutions of all sizes, and all indications seem to point to an increase in attacks targeting even smaller financial institutions. 

While there is no silver bullet to today’s cybersecurity problem, the FFIEC’s new Cybersecurity Assessment Tool has the potential to be a key component in a robust defense program.

FFIEC and NIST Join Forces

One of the keys to this new tool is the alignment with other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is one of the industry’s most respected cybersecurity frameworks. So, kudos to the FFIEC for giving the NIST an opportunity to review the tool and provide input.

The tool is quite straight forward, and its implementation will provide institutions of all sizes and complexities a repeatable and measurable process for determining their cybersecurity preparedness posture. The tool focuses on both the “Inherent Risk Profile” and an institution’s “Cybersecurity Maturity.” Used in conjunction, these two components provide the institution with a “Risk/Maturity Relationship,” allowing an institution to easily determine if its maturity level is in agreement with its inherent risk profile.

What’s Your Inherent Risk Profile?

The Inherent Risk Profile is a series of yes/no questions that focuses on key areas of risk, including Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. The answers to these questions determine the areas of Cybersecurity Maturity, which is a progressive scale that proceeds through Baseline, Evolving, Intermediate, Advanced, and finally, Innovative. That last designation on the scale represents the most mature programs.

Finally, the appendices provided by the FFIEC give those institutions that have already adopted a framework the tools they need to map the work they have already performed through either the FFIEC IT Handbook or the NIST Cybersecurity Framework to the new Cybersecurity Assessment Tool.  

Why the Separate Tool?

The question some will have, however, is “Why the separate tool?” Was the NIST Cybersecurity Framework not good enough? I think the answer is simply that this new tool provides financial institutions with a customized approach that is simple to follow, aligns with NIST, and builds off of previous FFIEC guidance.

Candidly, most experts considered this a must-use tool from a regulatory perspective, even before it had been evaluated, but it is indeed more than that. This seems to be one of the most useful benefits to come out of Washington DC for financial institutions in recent memory.

Financial institutions that embrace this swiftly and completely will not only find their regulators satisfied, but they will also find their own understanding of their cybersecurity posture to be greatly enhanced‒a welcome sight for this increasingly complex and difficult challenge.


Steve Sanders, CSI’s vice president of internal audit, oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. He is a CISA, CRISC, CRMA, and a CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.