The Federal Financial Institutions Examination Council’s cybersecurity assessment tool is having a big impact on small banks and how they address cybersecurity.
In June 2015, the FFIEC released its cybersecurity assessment tool, which provides a mechanism for banks to self-examine information security programs based on risk to operations. The assessment provides a standard means of evaluating security programs in banks. The tool can be particularly useful in banks with assets under $1 billion – which often lack in-house cybersecurity resources.
“Obviously cybersecurity is a huge problem right now. We’ve seen things like wire fraud attacks, which aren’t terribly high-tech but definitely impact the banking industry, although the targets are oftentimes the bank’s customers,” said Jason Riddle, partner in the Managed Security Services division of LBMC Information Security.
While completing the assessment tool is not currently mandatory, it is highly encouraged and becoming more expected by examiners, who typically expect institutions to have completed the baseline controls and may ask organizations to perform further assessments based on the results.