In a letter to the Federal Financial Institutions Examination Council earlier this month, ABA and the Bank Policy Institute offered feedback on the FFIEC Cybersecurity Assessment Tool, a voluntary tool developed in 2015 to help financial institutions assess their cyber risk and preparedness. Emphasizing that the tool should continue to be a voluntary resource, they called on the council to leverage other cybersecurity tools that have been created since the release of the CAT, including the Cyber Risk Institute Profile, which was created with help of ABA and BPI and is continually updated.
“[L]everaging the CRI Profile would provide greater opportunity for financial institutions to minimize the burden to responding to numerous bespoke exams, as well as provide regulators with greater visibility into systemic risk by using a widely adopted cyber control assessment and assurance that examiners and financial institutions are speaking the same language,” the groups wrote. “By basing examinations on existing and widely-recognized standards, government agencies would be better positioned to hire examiners because a larger pool of potential candidates are familiar with the baseline examination expectations.”
They further recommended that FFIEC encourage examiner training on other global standards and frameworks for cyber risk assessment, including the National Institute for Standards and Technology’s Cybersecurity Framework, to which the CRI Profile is aligned.