WIXLIB

Financial Institution LetterFederalDepasitlnsuranceCarparation d 1 i 5yreet lW,UUashinyoon, D.C.2d42 -990FIL-28-2015JUIy 2, 2015Cybersecurity Assessment ToolSummary: The FDIC, in coordination with the other members of the Federal Financial Institutions ExaminationCouncil (FFIEC), is issuing the FFIEC Cybersecurity Assessment Tool to help institutions identify theircybersecurity risks and determine their preparedness.Statement of Applicability to Institutions with Less than 1 Billion in Total Assets: This FinancialInstitution Letter (FIL) is applicable to all FDIC-supervised institutions.Suggested Distribution:FDIC-Supervised Banks.(Commercial and Savings)Suggested Routing:Highlights' The Cybersecurity Assessment Tool has been developedby the FFIEC members in response to requests from theindustry for assistance in determining preparedness forcyber threats. Use of the Cybersecurity Assessment Tool isvoluntary. The Cybersecurity Assessment Tool provides a way forinstitution management to assess an institution's inherentrisk profile and cybersecurity maturity to inform riskmanagement strategies.Chief Executive O cerChief Information OfficerChief Information Security OfficerAttachmentsFFIEC Cybersecurity Assessment ToolRelated Topics:FFIEC Cybersecurity Brochure,https://www.ffiec.gov/press/PDFIFFIECC by erSecurityBrochure.pdf FFIEC Cybersecurity Assessment FIFFIEC Cybersecurity Assessment Observations pdfContact:Marlene Roberts, Senior Examination Specialist, at. The Cybersecurity Assessment Tool and a variety ofSU pp0I' I11g resources 111CIUdl11g an executive overviewuser's guide and instructional presentation, are available onthe Cybersecurity Awareness page of the FFIEC.govwebsite at https://www.ffiec.gov/cybersecurity.htm. Also available is a mapping of the CybersecurityAssessment Tool to the Cybersecurity Framework'issued bythe National Institute for Standards and Technology and amapping of the Baseline Statements of the CybersecurityAssessment Tool to the FFIEC Information TechnologymarrobertsCc fdic.gov or(703) 254-0465.Ha11db00k.Note:FDIC examiners will discuss the Cybersecurity AssessmentTool with institution management during examinations toensure awareness and assist with answers fo anyquestions.FDIC financial institution lefters (FILs) may be accessedfrom the FDIC's Web site athttps://fdic.gov/news/news/financial/2015/To receive FILs electronically, please visithttps: www.fdic.aov about subscriptionsiti .htmi. Paper copies of FDIC financial institution letters may beobtained.through the FDIC's Public Information Center,3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1877-275-3342 or 703-562-2200).The FDIC encourages institutions to comment on theusability of the Cybersecurity Assessment Tool, includingthe estimated number of hours required to complete theAssessment, through a forthcoming Federal RegisterNOtICe. FDIC-supervised institutions may direct questions on theFFIEC Cybersecurity Assessment Tool orm/SV 4JgpIWXWB9Gjps1

,. , ,aIn light ofthe increasing volume and sophistication of cyber threats, the Federal FinancialInstitutions Examination Councils (FFIEC)developed the Cybersecurity Assessment Tool(Assessment), on behalf of its members,to help institutions identify their risks and determinetheir cybersecurity preparedness. The Assessment provides a repeatable and measurable processfor institutions to measure their cybersecurity preparedness over time. The Assessmentincorporates cybersecurity-related principles from the FFIEC Information Technology (IT)Examination Handbook and regulatory guidance, and concepts from other industry standards,including the National Institute of Standards and Technology(KIST) Cybersecurity Framework.2 er efits to h ir s ituti nFor institutions using the Assessment, management will be able to enhance their oversight andmanagement of the institution's cybersecurity by doing the following: Identifying factors contributing to and determining the institution's overall cyber risk.Assessing the institution's cybersecurity preparedness.Evaluating whether the institution's cybersecurity preparedness is aligned with its risks.Determining risk management practices and controls that are needed or need enhancementand actions to be taken to achieve the desired state: Informing risk management strategies.andoar c ircrThe role ofthe chief executive officer(CEO), with management's support, may include theresponsibility to do the following: Develop a plan to conduct the Assessment. Lead employee efforts during the Assessment to facilitate timely responses from across theinstitution. Set the target state of cybersecurity preparedness that best aligns to the board of directors'(board) stated (or approved) risk appetite. Review, approve, and support plans to address risk management and control weaknesses. Analyze and present results for executive oversight, including lcey stakeholders and theboard, or an appropriate board committee.I The FFIEC comprises the principals ofthe following: The Board of Governars ofthe Federal Reserve System,Federal Deposit Insurance Corporation, National Credit Union Administration, Office ofthe Comptroller oftheCurrency, Consumer Financial Pt otection Bureau, and State Liaison Committee. A mapping is available in Appendix B: Mapping Cybersecurity r ssessma t Tool to the NIST CvbersecurifyFramework. T]IST reviewed and provided input on the mapping to ensure consistency with Framework principlesand to highlight the complementary nature ofthe two resources.June 2015

FFIEC Cybersecurity Assessment ToofOverview for CEOs and Boards of QirectorsOversee the performance of ongoing monitoring to remain nimble and agile in addressingevolving areas of cybersecurity risk.Oversee changes to maintain or increase the desired cybersecurity preparedness.The role ofthe board, or an appropriate board committee, may include the responsibility to do .the following: Engage management in establishing the institution's vision, risk appetite, and overallstrategic direction. Approve plans to use the Assessment. Review management's analysis ofthe Assessment results, inclusive of any reviews oropinions on the results issued by independent risk management or internal audit functionsregarding those results. Review management's determination of whether the institution's cybersecurity preparednessis aligned with its risks. Review and approve plans to address any risk management or control weaknesses. Review the results of management's ongoing monitoring of the institution's exposure to andpreparedness for cyber threats.rs ,The Assessment consists oftwo parts: Inherent Rislc Profile and Cybersecurity Maturity. Uponcompletion of both parts, management can evaluate whether the institution's inherent risk andpreparedness are aligned.Inherent Risk ProfileCybersecurity inherent risk is the level of risk posed to the institution by the following: Technologies and Connection TypesDelivery ChannelsOnline/Mobile Products and Technology ServicesOrganizational CharacteristicsExternal ThreatsInherent risk incorporates the type, volume, and complexity ofthe institution's operations andthreats directed at the institution. Inherent risk does not include mitigating controls. The InherentRislc Profile includes descriptions of activities across risk categories with definitions for the leastto most levels of inherent risk. The profile helps management determine exposure to risk that theinstitution's activities, services, and products individually and collectively pose to the institution.When each ofthe activities, sezvices, and products are assessed, management can review theresults and determine the institution's overall inherent risk profile.June 20152

FFIEC Cybersecurity Assessment ToolOverview for CEOs and Boards of DirectorsCybersecurity MaturityThe Assessment's second part is Cybersecurity Maturity, designed to help management measurethe institution's level of risk and corresponding controls. The levels range from baseline toinnovative. Cybersecurity Maturity includesstatements to detei rnine whether an institution's,} FiF , - - --behaviors, practices, and processes can support :cybersecuritypreparedness within the following five domains::n: ' Cyber Rislc Management and OversightThreat Intelligence and CollaborationCybersecurity ControlsExternal Dependency ManagementCyber Incident Management and Resilience , ; r '' ;ri 3G , t 'The domains include assessment factors andcontributing components. Within eachcomponent, declarative statements describeactivities supporting the assessment factor at eachmaturity level. Management determines which declarative statements best fit the currentpractices ofthe institution. All declarative statements in each matut ity level, andpreviouslevels, must be attained and sustained to achieve that domain's matuf ity level. Whilemanagement can determine the institution's maturity level in each domain, the Assessment is notdesigned to identify an overall cybersecurity maturity level. The figure below provides the fivedomains and assessment cePreventativeControlsMonitoring anning andStratea yr;onnectionsgDetection,Response, andMitigationRelationship Management - alation andReportingeTraining andCultureJune 20153

FFIEC Cybersecurity Assessment ToolOverview far CEOs and Boards of DirectorsManagement can review the institution's Inherent Risk Profile in relation to its CybersecurityMaturity results for each domain to understand whether they are aligned. The following tabledepicts the relationship between an institution's Inherent Risk Profile and its domain MaturityLevels, as there is no single expected level for an institution. In general, as inherent risk rises, aninstitution's maturity levels should increase. An institution's inherent risk profile and maturitylevels will change over time as threats, vulnerabilities, and operational environments change.Thus, management should consider reevaluating the institution's inherent risk profile andcybersecurity maturity periodically and when planned changes can affect its inherent risk profile(e.g., launching new products or services, new connections).Risk/MaturityRelationshipInherent Risk LevelsLeast MinimalModerateSignificantMostInnovativeL L 3 Advanced---IntermediateL 1 G1 .0 3 " .'. .- -EvolvingBaselineManagement can then decide what actions are needed either to affect the inherent risk profile orto achieve a desired state of maturity. On an ongoing basis, management may use theAssessment to identify changes to the institution's inherent risk profile when new threats arise orwhen considering changes to the business strategy, such as expanding operations, offering newproducts and services, or entering into new third-party relationships that support criticalactivities. Consequently, management can determine whether additional risk managementpractices or controls are needed to maintain or augment the institution's cybersecurity maturity. . .-An essential part ofimplementing theAssessment is to validate the institution'sprocess and findings and the effectiveness andsufficiency ofthe plans to address anyidentified weaknesses. The next sectionprovides some questions to assist managementand the board when using the Assessment.Cybersecurity Management &Oversight What are the potential cyber threats to theinstitution? Is the institution a direct target of attacks?Is the institution's cybersecuritypreparedness receiving the appropriate level oftime and attention from management and theboard or an appropriate board committee?June 20154