Board of Governors of the Federal Reserve System

Background

The purpose of this letter is to announce that the Federal Financial Institutions Examination Council (FFIEC)¹ has developed a Cybersecurity Assessment Tool (assessment tool), the output of which can assist a financial institution’s senior management and board of directors in assessing the institution’s cybersecurity risk and preparedness.  The assessment tool is designed to assist institutions in managing their cybersecurity risk.  The first part of the assessment tool is the inherent risk profile, which aims to help management determine an institution’s level of cybersecurity risk.  The second part of the assessment tool is cybersecurity maturity, which is designed to help management assess whether their controls provide the desired level of preparedness.  Upon completion of both parts, management and the board of directors can evaluate whether the financial institution’s inherent risk and preparedness are aligned.  Overall, the assessment tool provides a repeatable and measurable process for a financial institution to measure its cybersecurity preparedness over time.  Institutions can access the assessment tool at http://www.ffiec.gov/cybersecurity.htm.

The assessment tool incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook, regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology Cybersecurity Framework.²  Going forward, the FFIEC will update the assessment tool and the IT Examination Handbook based on the changing cybersecurity threat landscape.  The FFIEC’s website³ contains supporting resources to assist institutions in completing the assessment tool and enhancing their cybersecurity risk management.

Implementation

A forthcoming Paperwork Reduction Act notice in the Federal Register will provide financial institutions and the industry the opportunity to comment on the assessment tool.⁴  Based on industry feedback, the Federal Reserve will work with the other FFIEC agencies to determine whether changes to the assessment tool are warranted.  In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles.  Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.

Questions

Federal Reserve Banks should distribute this letter to supervised financial institutions as well as to appropriate supervisory staff.  Questions regarding this guidance may be directed to the following staff in the Board’s Systems and Operational Resiliency Policy Section:  Christopher Olson, Senior Supervisory Financial Analyst at (202) 912-4609; or Matthew Hayduk, Manager, at (202) 973-6190.  In addition, questions may be sent via the Board’s public website.⁵

Notes: