Boards frequently report anxiety around data security, and question whether their policies and procedures are sufficient. With the average direct cost of a security incident approaching $4 million and the indirect, reputational costs beyond calculation, it’s easy to understand why. Boards are charged with implementing prudent data security, but board members are generally not information security experts. How, then, are boards to understand what is prudent for their institution? For starters, try the Cybersecurity Assessment Tool.
What is the Cybersecurity Assessment Tool?
Understanding the increasing threat data security incidents present to banks of all sizes, the Federal Financial Institutions Examination Council promulgated the Cybersecurity Assessment Tool in 2017 to assist boards of directors in understanding where their institution sits on a spectrum of cybersecurity risk and maturity. Consisting of two parts, the assessment is easy to complete for even the largest (or smallest) of banks, and the results are easy to comprehend even by non-IT professionals. When utilized consistently over time, the tool can help boards identify areas of (or for) improvement over time, and reduce anxiety around cyber-preparedness.
How Does the Assessment Tool Work?
The Cybersecurity Assessment Tool scores the bank across two dimensions: Inherent Risk and Cyber Maturity. An institution’s Inherent Risk Profile is simply an objective view of the riskiness of the bank’s operations, without taking into account the bank’s controls or mitigation strategies. An institution’s Cyber Maturity focuses on the institution’s controls and mitigation practices, and assesses their sophistication. Where the assessment indicates areas of imperfect alignment between risk and controls, boards can focus their attention and strengthen their security efforts.
How To Establish Your Inherent Risk Profile?
The Cybersecurity Assessment Tool presents banks with questions about five categories of activity: Technologies and Connection Types, Delivery Channels, Online and Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Banks categorize their operations as more or less risky depending upon certain quantitative and qualitative questions presented. For instance, banks with a robust suite of mobile banking services provided using third-party applications are considered more risky than banks that require payment instructions to be given in person. Likewise, banks that process 100 payment instructions per day are considered less risky than banks that process 100,000, regardless of the channel through which the instructions are made. Upon answering all of the questions presented, the aggregate results determine where the bank falls on a risk scale, with options including Least, Minimally, Moderate, Significant, and Most. (It is worth noting that because of the quantitative aspects of the assessment, most community and regional banks will fall under the “Moderate” and “Significant” risk categories.)
How to Determine Your Cyber Maturity?
As with the Inherent Risk Profile, a bank’s Cyber Maturity is determined by reference to five “domains,” consisting of Cyber Risk Management and Oversight, Threat Intelligence and Collaborations, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Within each domain, the bank evaluates its maturity, ranging from “baseline” to “innovative.” The aggregate results determine whether the institution as a whole is innovative, evolving, intermediate, advanced or innovative. Baseline institutions meet the minimum required by law and regulation, but do no more. Evolving institutions maintain documented policies and procedures beyond those required by law. Intermediate institutions maintain detailed, formal processes and consistent and validated controls. Advanced institutions integrate cybersecurity practices and analytics across business lines, automate risk-management process and engage in continuous process improvement. Innovative institutions develop new controls, new tools and create new information-sharing groups, and employ real-time, predictive analytics.
Putting It All Together
Once armed with the Risk Profile and the Maturity Level, boards can easily determine whether their policies are aligned with their operations. For instance, moderately risky banks with baseline cyber-maturity should either reduce risk or enhance their maturity. How to do either (or both) are suggested by the subcategories in the Cybersecurity Assessment Tool. Similarly, the highly formulaic nature of the assessment yields consistent, replicable results that aid tracking performance over time. One period’s results can easily be compared to those of earlier periods to show progress towards the board’s goal of prudent security.
Chris Couch is a partner in McGlinchey Stafford’s Financial Institutions practice, where he advises banks and boards of directors on corporate compliance, operational risk and commercial lending matters. For more information on concentration risk and mitigation strategies, please contact Chris at ccouch@mcglinchey.com or by telephone at (205) 725-6404.