Sage Advice - Cybersecurity Blog

2015 FFIEC Cybersecurity Priorities


Earlier this year, the Federal Financial Institutions Examiner’s Council (FFIEC) announced that their 2015 cybersecurity priority is to enhance regulator and financial institution assessment and examination capabilities, including updating the IT Examination Handbook, enhancing the technology service provider (TSP) examinations, and providing financial institutions with a self-assessment tool.

#1: Update the IT Examination Handbook

FFIEC is updating the Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities. Their focus will be on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience. The current IT handbook has not been updated for a few years. The proposed revision (or supplement) will bring it up-to-date, and reflect what is currently going on in the cyber environment. This is particularly important because it will provide institutions with insight into what future examinations are going to focus on, and help them better prepare.

For updates, visit the FFIEC InfoBase at

#2: Focus on Technology Service Providers

Technology service providers (TSPs) are subject to regulatory examinations. To date, examiners have not focused on cyber threat or response capabilities; this is about to change. Examiners will be assessing how TSPs prepare for cyber threats, how they detect and respond to them, and how are they communicate and interact with financial institutions during an incident.  

3: Publish and Support a Cybersecurity Financial Institution Assessment Tool

The FFIEC has developed a new Cybersecurity Assessment Tool to assist financial institutions in evaluating their cybersecurity risk and incident management capabilities. The tool was released in June 2015, and contains two parts. The first part is the Inherent Risk Profile which describes activities across risk categories and defines the level of inherent risk from least to most. Cybersecurity Maturity is the second part, which allows management to measure the institution’s level of risk and corresponding controls.

More information on the FFIEC’s Cybersecurity Assessment Tool can be found at

Service Provider Cybersecurity Review Program Now Available!

Proper oversight of your third-party service providers, including Technology Service Providers (TSPs), is an essential element of your institution’s cyber resilience strategy.  You can outsource the function, but never the responsibility.  Tyler Cybersecurity’s Service Provider Cybersecurity Assessment Program supports the management of all your third-party service providers and ensures you are in compliance. 

Learn More


Image courtesy of Stuart Miles at

Topics: Compliance, Financial Sector

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More