ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Cybersecurity

Cybersecurity Self-Assessment Tool Helps Combat Risk

November 4, 2015
Reading Time: 5 mins read

By Debra Cope

The real and growing threat of cyberattacks against financial institutions has firmly established cybersecurity as a C-suite and boardroom priority. With the introduction of the federal financial regulatory agencies’ Cybersecurity Assessment Tool, banks are gaining a new resource to help them measure, demonstrate and continuously monitor their preparedness. But they also face new implementation challenges.

Unveiled in June by the Federal Financial Institutions Examination Council, the assessment tool was designed to help institutions identify their inherent risks and determine their cybersecurity maturity across five risk areas. Its issuance culminated more than a year of intensive work by the FFIEC’s Cybersecurity and Critical Infrastructure Working Group, and underscores the importance of calibrating a bank’s cybersecurity posture to its individual activities and risks.

The working group laid a foundation in 2014 by conducting a four-week pilot program evaluating 500 community institutions’ capacity to mitigate cyber risks. The findings shaped the development of the assessment tool, which aligns with the FFIEC Information Technology Examination Handbook and the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

“It’s not a silver bullet or a stand-alone,” says Bethany Dugan, deputy comptroller for operational risk at the OCC. “It is one more resource for bankers to help understand their potential risk exposure and profile and to gauge where they stand in being able to deal with the threats.”

Importantly, Dugan says, “it provides a common point of view on cybersecurity. We heard from institutions and bankers that we supervise that that was one of things they were looking for.”

Use of the tool by banks is optional—with an asterisk. In separate letters to the institutions they supervise, the FDIC says its examiners will discuss the tool with management during exams to make sure they are aware of it; the OCC states that its examiners will gradually incorporate the assessment into bank exams; and the Federal Reserve Board notes that it would begin to use the assessment tool in the exam process by early 2016.

In other words, “It’s voluntary until the examiners come in and say, ‘Why didn’t you do this?’ Then suddenly it’s not so voluntary anymore,” says Kevin Petrasic, a partner in the Washington, D.C., office of the law firm Case and White LLP.

Two key components

The assessment has two parts. First, management evaluates the institution’s inherent risk, which encompasses the type, volume and complexity of the institution’s operations, plus threats directed at the institution.

“It is important to be able to say, ‘What is the landscape of what I look like in technology, connections and delivery channels? How is my organization put together? What are the risks that can come to me?’” Dugan says. “Then you have to turn to ‘How well am I prepared? How good is my governance over those risks that I have? How strong is my control structure?’” she adds.

That’s where the second part of the assessment begins. Once management understands the institution’s inherent risk, it can gauge cybersecurity maturity according to five risk areas, which the assessment calls “domains.” These domains are cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The ratings in each area are, in ascending order, baseline, evolving, intermediate, advanced and innovative.

A major objective of this process is “bringing IT to the board,” says Anthony Scarola, EVP and director of technical information security at TowneBank, a $6.1 billion bank based in Suffolk, Va. This means demonstrating “where the bank lies on the inherent risk trajectory and translating that to the financial experts sitting in board and executive-level positions who do not have the background to perform that kind of analysis.” By providing a common framework and vocabulary for talking about cybersecurity, the assessment “is one tool for the industry that is a value-add,” he says.

“The main message to board members is to engage management in discussions on cyber-preparedness to understand the institution’s vision, risk appetite and overall strategic direction.  Additionally, the board should review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threat,” the Fed notes in a statement to the ABA Banking Journal.

Industry interest in the assessment tool has been strong. The OCC, for instance, had a webinar that drew more than 1,000 participants. “It was very interactive, with a 35- to 40-minute presentation plus a question-and-answer session for the remainder of an hour and a half,” Dugan says. Bankers asked the OCC to explain the define terms and wanted to know how examiners would use the tool.

The Fed says the tool will be updated “as threats, vulnerabilities and operational environments evolve,” but cautioned that banks must monitor their own operating environment and act swiftly to mitigate threats.

Time and resources

A key question is how much time banks will need to perform assessments. The regulatory agencies estimated it will take an average of 80 hours—but the key word is “average.”

“Every bank is different. Everybody understands that,” says Scarola. At some smaller institutions, he notes, the head of cybersecurity wears multiple hats in IT leadership and risk management. “If they’ve got all the answers because they manage the IT side, it clearly will take less time,” Scarola says. It’s possible for such an institution to complete an assessment in one or two weeks.

But as an institution’s size and complexity increases, the security expert within IT, like Scarola himself, has to budget time for coordinating with others within IT and across the organization. “With close to 1,500 employees, more time is required. You’ve got to work with other people’s schedules,” says Scarola, who is co-chair of ABA’s Cyber and Information Security Working Group and a member of the Community Institution Advisory Board of the Financial Services Information Sharing and Analysis Center.

ADVERTISEMENT

Some of the tasks involved in setting up the tool are mundane but necessary. The FFIEC delivered the assessment in PDF format. “You basically need to copy-paste it to put it into your files and databases to automate the risk calculations,” Scarola says.

For TowneBank, he found it workable to put into a Microsoft Access database, where he could create ports for internal clients to access various parts of the tool.

The fact that the assessment tool is an outgrowth of a pilot test for community banks underscores its value to community banks, but also its potential challenges. “My perception is that the assessment tool is as much—if not more—directed at the smaller institutions versus larger ones,” Petrasic says. “Smaller institutions have been forewarned that they are particularly vulnerable to hackers.”

The key takeaways for C-level executives and board members are really pretty simple, Petrasic adds. Read the guidance. Talk with whomever is charged with managing the institution’s cybersecurity. Understand and make clear how critical this issue could be for an institution that doesn’t get it right.

“These are not speculative issues anymore. These are real and important issues for the board and management to ponder and discuss,” he says.

For a perspective on cybersecurity from Deputy Secretary of Commerce Bruce Andrews, who oversees the cyber framework developed by the National Institute of Standards and Technology, click here.

Tags: CybersecurityRisk management
ShareTweetPin

Author

Debra Cope

Debra Cope

Debra Cope is editor-in-chief of ABA Banking Journal Directors Briefing.

Related Posts

Survey: Banks boosting cybersecurity due to AI while also investing in technology

Survey: Banks boosting cybersecurity due to AI while also investing in technology

Cybersecurity
June 13, 2025

Most U.S. banks are increasing their cybersecurity efforts because of emerging technologies such as generative artificial intelligence, and many of those same banks also list AI as a top business investment, according to a recent survey by auditing...

Fighting the Rise in Ransomware Attacks: The Value of Breaking Through Silos

Key questions and decisions bankers face in response to ransomware attacks

Cybersecurity
June 10, 2025

ABA has recently convened panel discussions and a simulation to highlight important challenges bankers will likely encounter.

OCC issues statement for banks on recent data breach

Trade groups: Financial agencies’ handling of data needs ‘significant reform’

Compliance and Risk
June 9, 2025

Financial institutions are legally required to share sensitive, proprietary and nonpublic information with their regulators as part of the supervisory process. This information can range from capital and liquidity management to cybersecurity protocols. Centralizing large amounts of data,...

Trades: Data aggregators should be subject to CFPB examination

ABA: Proposed data privacy laws should not conflict with existing bank standards

Compliance and Risk
June 5, 2025

ABA told House lawmakers that it supports applying privacy and data security protection standards to nonbank industries as long as the requirements do not conflict with those already in place for banks.

ABA calls on SEC to investigate manipulative short selling of bank stocks

ABA, associations urge SEC to rescind cyber disclosure rule

Compliance and Risk
May 23, 2025

ABA joined the Bank Policy Institute and three other associations in calling on the SEC to rescind its cyber incident disclosure rule, which they said puts companies that fall victim to cyberattacks at greater risk.

Banking sector, regulators announce joint effort to address AI risks

FS-ISAC releases annual report on financial sector cyber threats

Cybersecurity
May 19, 2025

The financial sector is scrambling to keep up with the heightened risks posed by cyber threats through increasing investment in fraud prevention and strengthening third-party risk management, according to a new report by FS-ISAC.

NEWSBYTES

ABA asks IRS to delay new reporting requirement

June 30, 2025

ABA supports climate disclosure exclusions, warns of alternative disclosures

June 30, 2025

OCC report: Banking system sound, key risks highlighted

June 30, 2025

SPONSORED CONTENT

AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025
Six Payments Trends Driving the Future of Transactions

Six Payments Trends Driving the Future of Transactions

March 15, 2025

PODCASTS

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025

Podcast: Old National’s Jim Ryan on the things that really matter

June 12, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.