Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment

Setting a Path to Cybersecurity Maturity

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed a Cybersecurity Assessment to help financial institutions identify their risks and determine their cybersecurity preparedness.

The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following:

  • Identifying factors contributing to and determining the institution’s overall cyber risk.
  • Assessing the institution’s cybersecurity preparedness.
  • Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks.
  • Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state.
  • Informing risk management strategies.
  • Mapping to the multi-sector NIST Cybersecurity Framework.

Tyler Cybersecurity’s Collaborative Approach

Every financial institution will be expected to complete this or an equivalent assessment. The assessment is complex and can be a daunting resource-intensive task. Tyler Cybersecurity’s collaborative approach ensures that the assessment process is effective, educational, and provides actionable outcomes.

The assessment is conducted workshop style. Upon completion of the workshop, Tyler Cybersecurity personnel analyze the responses and on behalf of the organization, complete the assessment. The draft report is submitted to the institution for review. Following review and comment, the final report (described in the deliverable section below) is provided. Upon request, Tyler Cybersecurity personnel will present the report to an Executive Committee or the Board of Directors.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution’s inherent risk and preparedness are aligned.

Inherent Risk Profile

Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution.

Cybersecurity Maturity

The Assessment’s second part is Cybersecurity Maturity, designed to help management measure the institution’s level of risk and corresponding controls. The levels range from Baseline to Innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:

  1. Cyber Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. External Dependency Management
  5. Cyber Incident Management and Resilience

Reports and Recommendations

The outcome of the Tyler Cybersecurity’s FFIEC Cybersecurity Resilience Assessment includes:

  • Executive Synopsis that includes a Cybersecurity Maturity Dashboard
  • A comprehensive interactive report that includes:
    • Cybersecurity Maturity Dashboard
    • Inherent Risk Matrix
    • Domain Results (including documented responses to 494 declarative statements organized by domain and maturity level)
    • Target state roadmap by domain
    • Target state roadmap by maturity
    • Action plan
    • FFIEC Cybersecurity Assessment to NIST Cybersecurity Framework mapping

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More