Top 4 Missing Declarative Statements in the FFIEC’s Cybersecurity Assessment Tool

With the heightened risk of cybersecurity attacks for financial institutions, many community banks and credit unions are completing the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) to assess their cybersecurity preparedness, determine their next steps to strengthen their maturity and better meet examiner expectations. The assessment consists of two parts, Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile assesses the risk posed by Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Then, Management evaluates the Cybersecurity Maturity level for five domains.

According the FFIEC’s Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors, “Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness.” Declarative statements within each domain are assessed on maturity levels ranging from baseline to innovative. Financial institutions determine “which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.”

Since the introduction of the CAT in 2015, we have been assisting community banks and credit unions with completing this process. Based on our experience, which consists of more than 100 reviews of the CAT to date, we have identified four declarative statements that community financial institutions are struggling to complete:

Domain 4 – External Dependency Management – Connections

Data flow diagrams are in place and document information flow to external parties.”

According the FFIEC’s Information Security Handbook, “these diagrams should identify hardware, software, and network components, internal and external connections, and types of information passed between systems.” Regulators are looking for financial institutions to demonstrate solid understanding of where data is going and what type of data is being transmitted to third-parties.

Domain 1 – Cyber Risk Management and Oversight – Training and Culture

“Customer awareness materials are readily available” (e.g., DHS’ Cybersecurity Awareness Month materials)

Customer awareness materials, according to the FFIEC Information Security Handbook, are used to “increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.” These materials should “consider both retail and commercial account holders.” It is important for community banks and credit unions to communicate effective risk management strategies to their customers. The declarative statement references the US Department of Homeland Security’s website. The Stop.Think.Connect Toolkit has resources Financial Institutions can utilize to provide awareness material to customers.



Domain 3 – Cybersecurity Controls – Preventative Controls

“Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise.”

DNSSEC is a technology developed to digitally ‘sign’ data to ensure it is valid and from a trusted source. By enabling this, an institution would be less susceptible to DNS spoofing attacks. However based on the experience of Safe Systems engineers, DNSSEC may cause issues throughout an organization’s systems. There are other technical tools financial institutions can implement that will enable them to meet the spirit of the statement without deploying troublesome tactics.

Domain 1 – Cyber Risk Management and Oversight – Oversight

“The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.”

Regulators are looking to ensure financial institutions have a cyber risk appetite statement in place that has been approved by the Board. In fact, risk appetite is mentioned more than 17 times in the CAT. Cyber risk appetite is an assessment of how much cybersecurity risk management is willing to accept to meet the goals and objectives of the institution’s strategic plan. To read more on how to develop a cyber risk appetite, visit the Compliance Guru Blog.

Financial institutions should review their current CAT responses, specifically the declarative statements in the Baseline maturity level that have been answered “No” or that they are struggling to complete to determine if there is a way to implement a compensating control. Adding in compensating controls may allow them to answer the question in the affirmative and ensure the institution is in compliance with regulatory requirements.

For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.