What is the FFIEC?

In the cybersecurity world, there are acronyms for everything from certifications, tools, compliance requirements, and agencies. Today, we continue exploring the various agencies that exist and what they offer to the cybersecurity world with a deep dive on the Federal Financial Institutions Examination Council or “FFIEC“.

FFIEC History

The FFIEC was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA) established The Appraisal Subcommittee (ASC) within the Examination Council. The Council is responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the non-financial institution subsidiaries of those institutions and holding companies.

In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators’ examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.

FFIEC Cybersecurity Assessment Tool

The FFIEC is obviously broader than just the cybesecurity aspect, however, one of the great things they have done is publish a free Cybersecurity Assessment Tool. The Assessment is based on the cybersecurity assessment that the FFIEC members piloted in 2014, which was designed to evaluate community institutions’ preparedness to mitigate cyber risks. As part of cybersecurity, institutions should consider managing internal and external threats and vulnerabilities to protect infrastructure and information assets.

The Assessment is designed to provide a measurable and repeatable process to assess an institution’s level of cybersecurity risk and preparedness. Part one of the Assessment is the Inherent Risk Profile, which identifies an institution’s inherent risk relevant to cyber risks. Part two is the Cybersecurity Maturity, which determines an institution’s current state of cybersecurity preparedness represented by maturity levels across five domains. For the Assessment to be an effective risk management tool, an institution may want to complete it periodically and as significant operational and technological changes occur.

This free offering is a great place to start, especially for a small financial institution that may not have the resources and access to a large third party assessment, when trying to mature a security program. Further, this framework can also be used by non-financial institutions as it offers a great platform for assessing your cybersecurity maturation. Interested in learning more? We are happy to assess how you can get started and how Triaxiom can help.