4 minutes
With the release of its Cybersecurity Assessment Tool in June 2015, the Federal Financial Institutions Examination Council looked to provide banks and credit unions with means to examine and assess their level of security and risk to cyberthreats. Completed assessments would be another “tool” in the financial institution’s belt for controlling security risks.
The CAT’s first section (inherent risk) provides guidance on what to consider and how to view “inherent” or “raw” risk. Inherent/raw risk is the level existing without the application of controls. It is the starting point for your risk analysis. Using the information and listed items in the CAT, your credit union can get an idea of its risk picture when deploying various technology systems, products and services before security measures and controls are put into place.
Using these categories and ratings can be useful to your credit union in examining the potential change in risks you face when looking to add or change technology products and services. For example, imagine that your credit union is thinking of adding person-to-person payments to its portfolio of products. Looking through the inherent risk table provides some insight into the level (or change) of risk in doing this.
The second section (maturity) builds on Carnegie Mellon University’s Capability Maturity Model Integration framework for examining and improving process efficiency and effectiveness. For credit unions, these maturity items provide insight into how well cybersecurity is being handled currently (how mature it is), and how improvements can be made. For the maturity section, it is important to remember you can’t move up a level unless all the items in the prior levels are being done.
The focus areas within the CAT’s maturity section (cyber-risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, cyberincident management and resilience) are useful in grouping together cybersecurity concerns at a high level. Think of these focus areas as key sections in your information/cybersecurity strategy documents. For example, based on this, you might ask, “What is our credit union’s cyber-risk management and oversight strategy going to be?”
It is important to see CAT not as an end, but rather a means to an end. “We copied and pasted the CAT items into a checklist and were able to check off many of the items – so we’re doing fine!” is not the statement your board of directors needs to hear on how your credit union manages cybersecurity risks.
While the tool provides insight into the inherent risk in using various technologies—helpful as you begin your risk assessment—it does not examine how the risk levels or changes in the levels fit into the credit union’s enterprise risk profile. For example, deciding to add mobile banking increases the delivery channels (mobile presence) risk. But, deciding not to add mobile banking can be riskier overall for the credit union if it has an impact on member growth and retention objectives.
It is also important to understand the pronounced inherent risk levels may have been appropriate when the documentation was finalized last June, but there is no cause to assume they will stay at those levels over time. They may increase or decrease.
In developing the tool, FFIEC needed to cover very large financial institutions. So in many cases, the example numbers or values (20 or more, >1,000, 501 – 1,500, etc.) listed for various items are much larger or higher than the average credit union has or will grow into. However, this doesn’t mean your credit union will never have or grow into those levels of risk. Your credit union should not use the numbers as hard and fast lines-in-the-sand to judge your inherent risk level (or when you bump up to the next level). Instead, look at the numbers as representative examples, and consider them in relationship to your asset size, number of employees, support staff, and control environment.
As noted earlier, the maturity section offers insights into actions your credit union can take to enhance its cybersecurity posture, helping to address the question, “What more can we do?” In reviewing the various items, your credit union should consider where it is at and what level of maturity best meets enterprise objectives for cybersecurity and risk management. Your credit union may decide an intermediate (Level 3) or advanced (Level 4) maturity level best serves the credit union and its members: The costs of moving to a higher level may outweigh any benefits.
Your credit union should also understand that maturity level items, similar to inherent risk levels, work on a bit of a sliding scale. What is considered an “evolving” item this year may become a “baseline” item next year. Additionally, doing that “item” doesn’t mean the “item” is being done well.
While questions have been raised on the true effectiveness of the CAT and the degree to which it aids credit unions in improving their cybersecurity posture, it does provide important information your credit union can use to understand cybersecurity risks, and options for improving and strengthening your ability to keep those risks at acceptable levels.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insights to CUs on information technology governance, information security, and technology risk management.
If your credit union is looking for additional insights into process maturity, Benlein recommends Carnegie Mellon’s CMMI Institute and the Information Systems Audit and Control Association.