CSI Resources

computer sitting on top of diagram

20 Questions the FFIEC Wants You to Answer

  • by Steve Sanders
  • Aug 04, 2016

After the FFIEC conducted cybersecurity exams at more than 500 community financial institutions across the U.S. in 2014, regulators found a significant difference in the level of inherent cybersecurity risks across financial institutions. 

They also found that some financial institutions are doing a better job of managing these risks than others. And that’s when the FFIEC came up with 20 questions, divided among six key categories, that regulators feel are important for your bank to consider for its cyber-risk preparedness.

Connection Types

The first category of questions involves inherent cyber risks, namely connection types. A connection is any digital point of entry into your financial institution. Whether the connection is a virtual private or wireless network, a product or service like Bring Your Own Device (BYOD) or any other technology used to access your IT enterprise, these connections can serve as entry points for malware attacks.

The FFIEC suggests that your board determine if connections within your organization are necessary by asking:

  1. What types of connections does my financial institution have? 
  2. How are we managing these connections in light of the rapidly evolving threat and vulnerability landscape?
  3. Do we need all of our connections? Would reducing the types and frequency of connections improve our risk management?
  4. How do we evaluate evolving cyber threats and vulnerabilities in our risk assessment process for the technologies we use and the products and services we offer?
  5. How do our connections, products and services offered, and technologies used collectively affect our financial institution’s overall inherent cybersecurity risk?

Risk Management and Oversight

The second category involves cybersecurity preparedness. While many banks have done an excellent job of training their employees to be aware of and manage cyber risks, many haven’t done as well with their board of directors’ cybersecurity training.

In order to establish a security culture across the entire organization, board involvement in cybersecurity management and oversight is imperative. Your board should consider:

  1. What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our financial institution?
  2. How is accountability determined for managing cyber risks across our financial institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?
  3. What is the process for ensuring ongoing employee awareness and effective response to cyber risks? 

Threat Intelligence and Collaboration

Next, the FFIEC suggests asking questions to help your bank determine if you’re properly gathering, sharing, analyzing, reporting on and collaborating with law enforcement on cybersecurity threats and vulnerabilities. These questions include: 

  1. What is the process to gather and analyze threat and vulnerability information from multiple sources?
  2. How do we leverage this information to improve risk management practices?
  3. What reports are provided to our board on cyber events and trends?
  4. Who is accountable for maintaining relationships with law enforcement?

Cybersecurity Controls

Then, to help determine if your financial institution’s cybersecurity control environment protects from vulnerabilities and promotes preparedness for detecting and correcting when events occur, the FFIEC poses these questions for banks to consider: 

  1. What is the process for determining and implementing preventive, detective and corrective controls on our financial institution’s network?
  2. Does the process call for a review and update of controls when our financial institution changes its IT environment?
  3. What is our financial institution’s process for classifying data and determining appropriate controls based on risk?
  4. What is our process for ensuring that risks identified through our detective controls are remediated?

External Dependency Management

Continuing, the FFIEC addresses external dependency management, which pertains to third-party service providers, business partners and even customers. To ensure your financial institution is considering not only your connection to third parties, but also the expectations for all parties in the event of a cyberattack, you should ask:

  1. How is our financial institution connecting to third parties and ensuring they are managing their cybersecurity controls?
  2. What are our third parties’ responsibilities during a cyberattack? How are these outlined in incident response plans?

Cyber Incident Management and Resilience

And finally, when cyber incidents occur, your financial institution must have procedures in place for notifying customers, regulators and law enforcement. Answering these questions from the FFIEC can help ensure your bank has a communication plan in place should an incident occur:

  1. In the event of a cyberattack, how will our financial institution respond internally and with customers, third parties, regulators and law enforcement?
  2. How are cyber-incident scenarios incorporated in our financial institution’s business continuity and disaster recovery plans? Have these plans been tested? 

How Do You Eat an Elephant?

Cybersecurity can seem like an overwhelming task for any financial institution. But, utilizing the resources available to you, like the Cybersecurity Assessment Tool, and training employees, management and the board can help ensure you create a culture of security within your financial institution. 

Start by answering these 20 cybersecurity questions one at a time. Then, begin putting the proper controls in place, as you can, and your security posture will certainly improve.  


Steve Sanders, CSI vice president of Internal Audit, oversees the evaluation of risks associated with IT, financial and operational systems. He has a strong knowledge of cybersecurity and privacy, accompanied by an educational background in computer security and data protection. Steve has a unique ability to simplify these complex topics and increase awareness, and as such, he regularly speaks at conferences on information security, cybersecurity and risk management. In fact, he presented CSI’s Semi-Annual Cybersecurity Update, focusing on the FFIEC’s 20 questions.