Earlier this summer, the Federal Financial Institutions Examination Council (FFIEC) released its highly anticipated Cybersecurity Assessment Tool (Assessment), which is designed to assist financial institutions in identifying and assessing risks and weaknesses in, and the overall maturity of, their cybersecurity preparedness programs. Financial Institutions' management, directors, in-house counsel, and regulatory/compliance personnel need to be aware of this development. Now there is increased guidance on the type of cybersecurity systems and procedures that need to be implemented to satisfy post-hoc regulatory or judicial scrutiny. This guidance may also impact how regulators, or in the event of a problem, courts hearing civil lawsuits, assess both the institution's level of preparedness and how the company's directors and officers discharged their responsibilities in creating and maintaining cybersecurity measures.
Although financial institutions are not required to use the Assessment, understanding it is critical because it allows "management and directors of financial institutions [to] understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions." This is important given that regulators such as the Office of the Comptroller of Currency (OCC) and the National Credit Union Administration are mapping out an aggressive plan to incorporate the Assessment into examinations (late-2015 for the former, and June 2016 for the latter). The OCC, for example, stated in its June bulletin that examiners will be using the Assessment "to supplement exam work to gain a more complete understanding of an institution's inherent risk, risk management practices, and controls related to cybersecurity." Therefore, financial institutions should strongly consider integrating the Assessment in their internal reviews of cybersecurity controls.
The Assessment consists of two parts: (1) the Inherent Risk Profile and (2) an evaluation of Cybersecurity Maturity. This breakdown is significant because it confirms regulatory focus on risk mitigation and adequate management of cybersecurity preparedness, not wholesale elimination of all risk of cyber breaches. It also is consistent with established corporate law, in Delaware and elsewhere, that assess whether a board adequately discharged its duties in the face of corporate misconduct by looking primarily to whether directors in good faith established systems and procedures designed to detect and prevent misconduct that nonetheless occurred. See, e.g., In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996) ("I am of the view that a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists.").
Part I of the Assessment identifies five risk categories to determine a financial institution's Inherent Risk Profile, excluding mitigation control effects, and recommends that each category be assigned a risk level according to a five-point scale, from "Least" to "Most." The categories are:
Part II of the Assessment determines the financial institution's Cybersecurity Maturity level in five separate domains, then prescribes assigning each domain one of five maturity levels, from "Baseline" to "Innovative." The domains are:
FFIEC has provided a chart to assist in reviewing the financial institution's Inherent Risk profile in relation to its Cybsersecurity Maturity results. This will help the institution's management to determine when cybersecurity controls are sufficient.
If a financial institution determines that its maturity levels are not appropriate in relation to the Inherent Risk profile, it can either reduce the risk or develop a strategy to improve the maturity levels. Because meaningful risk reduction might not be achievable without significant changes to its business model, institutions likely will have to focus heavily on increasing maturity levels.
Significantly, as part of the Assessment, FFIEC set forth specific expectations for the boards of financial institutions (as well as their CEOs), signaling not only the importance of governance in enterprise-wide cybersecurity risk management, but clarifying that future regulatory examinations will focus specifically on whether the Board fulfilled its cybersecurity-related responsibilities. Board governance over cybersecurity risk has emerged as a significant focus and consistent theme among government and non-government regulators, which we have previously written about here and here. These responsibilities may include:
Finally, financial institutions that already have an information security risk assessment framework in place need not scrap their current work in favor of wholesale adoption of the Assessment. Rather, the Assessment is constructed to allow institutions to review their current efforts against the Assessment to gauge the effectiveness of their program. Doing so should be easier for those institutions that already have adopted the National Institution of Standards and Technology (NIST) Cybersecurity Framework because the Assessment provides a robust mapping of the Assessment to the NIST Cybersecurity Framework.