FFIEC Cybersecurity Assessment Tool

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder. Today, we’re going to be talking about the FFIEC’s Cybersecurity Assessment Tool’s Frequently Asked Questions document that has been getting a lot of attention.

So let’s get started....

How does a responsible vendor manager keep up with reviewing all of their critical, high and medium risk vendors? What tools can they use? We’ve discussed SOC reports, now let’s bring a tool to the table with the Cybersecurity Assessment Tool (CAT) for short. 

Now you may be saying, WAIT! Hold up…isn’t the FFIEC’s C.A.T. meant for us, the institutions? 

You’re right, it is, but nearly all of you are using vendors for products and services you’ve outsourced, but that doesn’t mean you get to transfer all of the risk as well. The institution’s board is still responsible for all risks taken. 

You may be familiar with a risk management framework where transferring the risk is one of your options, but that is not what is happening when you outsource a product or service, you’re remediating, lessening the risk, by having an outsourced specialist provide that product or service. That risk is still inherent and still the institution board’s responsibility. 

Okay, so now what? As usual with compliance, there’s more work to be done. The great thing is that the FFIEC has provided you with template declarative statements to modify to your needs. That’s right, the FFIEC says that you are welcome to modify the provided declarative statements. 

Now, does that mean you should weaken them to artificially prop up your organization? No! You’ve just lessened the value of all the time and effort you’ve already put into this assessment as it would then not follow the spirit of the tool:  “To help institutions’ management identify their risks and determine their cybersecurity preparedness.”

Let’s break that down – “Identify Risk and Determine Preparedness” 

Why should you identify risk? Why is that the FFIEC’s statement on why they created the tool?

SIMPLE…If you don’t know the threats and vulnerabilities posed to your institution either by being in the industry that we act in, or by those introduced by our locations, our equipment and software vendors we use to support our customers or the internal processes of our institution itself, then you CANNOT protect your institution from any attack, let alone a cyber attacker.

So if the Cybersecurity Assessment Tool is voluntary, why should you or your institutions vendor management function use it? 

If you don’t know what all of your risks really are, then how do you know if you’re spending precious time and money on the right risks. Assuming you know your top risk and throwing time and money at it without doing a proper risk assessment is like throwing a dart at your board and fixing what they then calmly tell you to fix, which I bet your board would not enjoy. So don’t try that approach.

Just do a risk assessment, and why not use the Cybersecurity Assessment Tool to get you started. And remember, when you do your risk assessment, as inherent risk rises, the maturity level, the term the CAT uses, of the controls which address that risk should increase as well. 

Why else should you or your institutions vendor management function use the CAT? 

Wouldn’t it be nice to be able to tell your institution’s board that you’re doing well in your preparedness against cybersecurity attacks? Wouldn’t it be great if there were a standard on which to hold yourself against? Here it is! 

We could go on with the benefits, but this is a short talk and there’s so much more to cover! One of the five domains within the CAT specifically deals with third parties. A highlight of the FFIEC’s comment within the FAQ was, and I quote, “Management is responsible for the assessment of the risk associated with the nature, extent and complexity of its institution’s third-party relationships. Such assessment includes evaluating the extent to which controls put in place by the institution’s third party service providers could be considered in the institutions mitigation of its overall cybersecurity risk, including the cybersecurity risk associated with its use of third party service providers.” 

Alright…I lost many of you on that last statement…so let’s break it down a little bit and give a great example! 

Three Parts 

1. The first part is reminding you that institution management is responsible for looking at the pros and cons brought in when using third-parties. 
2. Second – We’re reminding you that third parties that you bring in should have significant checks and processes in place, and these checks and processes could assist in your process to minimize cybersecurity risk. That’s likely one of the reasons you use a third party for that product or service anyways, right?
3. Third – We’re talking about the added risk though that was brought in when you started using a third party to provide that product or service.  

BUT WAIT! If you’ve been following our Third Party Thursdays you’ve seen at least one of my talks on SOC reports. If not, you should check them out! 

Doesn’t the Second part of that prior statement sound a lot like what a SOC report goes over, the checks and processes, let’s now call them controls, that the third party does to further assure you that they’re providing a reliable and secure product? 

Even more, doesn’t the third part of that prior statement sound a lot like Complementary User Entity Controls, the checks and processes that you are required to have in place in order to ensure that your third party service provider’s product can BE reliable AND secure?  

It’s GREAT! What you’re hopefully already doing is already going to get you further with the FFIEC’s CAT! 

A few additional points to take away are:

• The Cybersecurity Assessment Tool is VOLUNTARY
• The Cybersecurity Assessment Tool is a value ADD to your institution!
• Don’t worry, you’re already doing many of the items in the assessment, tracking them will just show you where you’re at, what you may not have though to have addressed and where you can go from here. 
• Cybersecurity threats are not going away. They’re getting more and more complex and many institutions have flashing “open” signs on their networks without even knowing it. Don’t think if you’re small attackers won’t come after you, you’re just an easier target as you likely don’t have much of a security budget or dedicated security staff. Would you even know if an attacker was in your systems now? 

You don’t have to use the FFIEC Cybersecurity Assessment Tool, but you should be using a standard to align yourself with. And hey, the FFIEC and NCUA recommend it, so I’m sure it wouldn’t hurt in your regulator's eyes to get started. 

Again, I’m Aaron and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.