FFIEC Solicits Comments on Cybersecurity Assessment Tool
Council Looks to Enhance Quality, Utility and Clarity Information to Be CollectedThe U.S. federal government is soliciting thoughts on the cybersecurity assessment tool used by the Federal Financial Institutions Examination Council.
See Also: Post-Transformation: Building a Culture of Security
The governmental interagency body of all five banking regulators in 2015 introduced the tool as an ostensibly voluntary way for banks and credit unions to self-assess exposure to risk and the maturity of their cybersecurity program. The FFIEC appreciates "the benefits of using a standardized approach to assess and improve cybersecurity preparedness," as an August 2019 statement from the National Credit Union Administration underlined.
Financial services continue to be the target of severe cyberattacks, with data from consultancy Accenture showing the per-company cost of cybercrime reaching more than $18 million for sector companies.
In a notice set for publication by the Office of the Comptroller of the Currency, FFIEC members say they want information that will "enhance the quality, utility, and clarity of the information to be collected." It also asks for ways to minimize the burden of filling out the assessment, as well as whether its estimate of 90 hours on average to complete the assessment is accurate.
One thing the council will not do, the notice says, is report any public information based on analysis of anonymized contents of the assessment tool, despite a suggestion it do so. Members of the council "do not to intend to publish or otherwise make publicly available the results of financial institutions' use of the Assessment."
Only days ago, acting OCC head Michael Hsu urged an audience of Beltway financial executives to embrace multifactor authentication for better secure internal systems (see: OCC's Hsu Urges Multifactor Authentication).