UPDATED: FFIEC cybersecurity assessment tool up for renewal; comments invited

Federal bank and credit union regulators are inviting comments until June 4 on renewal of the FFIEC Cybersecurity Assessment Tool created to assist financial institutions in assessing their inherent cyber risks and risk management capabilities, according to a notice scheduled to publish Friday in the Federal Register.

The Office of the Comptroller of the Currency (OCC), Federal Reserve Board, Federal Deposit Insurance Corp. (FDIC), and National Credit Union Administration (NCUA) – under the auspices of the umbrella Federal Financial Institutions Examination Council (FFIEC) – created the assessment tool to allow financial institutions of all asset sizes to self-assess their inherent cyber risk profiles based on the technologies and connection types, delivery channels, online/mobile products and technology services they offer, organizational characteristics, and cyber threats they are likely to face.

The tool, the notice explains, provides a “maturity matrix” to allow institutions to evaluate their level of cybersecurity preparedness based on their cyber risk management and oversight, threat intelligence capabilities, cybersecurity controls, external dependency management, and cyber incident management and resiliency planning. The matrix’s maturity levels can be used to identify opportunities for improving an institution’s cyber risk management based on its inherent risk profile, it says. The assessment is also intended to help institutions rapidly identify areas that could improve their cyber risk management and response programs.

The notice includes annual burden estimates of using the tool. These estimates, based on the assumption that all institutions are using the voluntary tool, suggest that federally supervised banks, holding companies, savings associations and credit unions expend an average of about 89 hours on the assessment.

The OCC issued a request for comments on behalf of all the agencies and is to receive the comments submitted.

Agency Information Collection Activities: Information Collection Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool