The Federal Financial Institutions Examination Council's new Cybersecurity Assessment Tool needs to be redesigned - and the sooner, the better.
The current design of the tool, also known as CAT, sets institutions up for cyber-risk assessment failure. That's because the tool doesn't take into account the unique cybersecurity risks banking institutions face. And users aren't offered any opportunity to explain why they have or have not complied with specific categories and subcategories included in the tool's questions.
"The fundamental challenge that bankers face is that the tool is being used in the examination process."
But banking executives say they're hopeful the FFIEC will be receptive to the industry's desire for a second version of the tool to be released by midyear. For now, none of the federal banking agencies that make up the FFIEC are saying what we might expect to see after a second comment period closes Jan. 15.
The FFIEC would be wise to carefully consider the feedback it receives, and then use that feedback to make significant and meaningful changes to the tool - without delay (see Will FFIEC Revamp Cyber Assessment Tool?).
The fact that the FFIEC is accepting a second wave of comments could very well be an indication that some changes to the tool are, indeed, on the way.
Mike Wyffels, chief technology officer of QCR Holdings, a $2 billion company that owns four banking institutions, says the tool feels more like a "checkbox" exercise than an interactive assessment tool.
"Some questions are difficult to answer because you may do some things for a particular question but not others," Wyffels says. "You have to weigh your response to either a 'yes' or a 'no.' Those types of questions require more follow-up and explanation for internal and external audiences to understand the scope with which you do or don't do certain things."
Instead, Wyffels suggests the tool should focus on an institution's cybersecurity maturity and provide guidance about cybersecurity controls that could be implemented based on the institution's overall risk posture.
Avivah Litan, a financial fraud and cybersecurity analyst at consultancy Gartner, agrees, contends the FFIEC's Cybersecurity Assessment Tool is too rigid, leaving little room for banks to adequately assess their actual cybersecurity risks.
The tool's yes-and-no question-and-answer format leaves no room for banks and credit unions to provide open-ended responses that could better explain their current levels of cybersecurity maturity, says John Carlson, vice chairman of the Financial Services Sector Coordinating Council, which represents the interests of large and midsize U.S. banking institutions, stock exchanges, card networks and banking associations.
The FSSCC in September sent a letter to the FFIEC requesting a re-evaluation of the tool.
Now Carlson and many others say they are hopeful that banking regulators will go back to the drawing board and collaborate more closely with the industry on version 2.0 of the tool.
"The fundamental challenge that bankers face is that the tool is being used in the examination process," Carlson tells me. "The tool is encouraging more awareness and dialogue involving board involvement, risk assessment, security maturity and an institution's risk appetite. But we'd recommend an increased level of participation in future iterations of the tool to provide additional value to the financial sector."
Too Soon for Regulatory Exams
Over the course of the last two weeks, I've been told by numerous sources that regulatory examiners are using the tool in their routine IT examination processes.
The Office of the Comptroller of the Currency, the lead agency for the FFIEC, acknowledged: "The OCC has started to use the tool as part of our examinations of our national banks and federal savings associations."
The OCC says it plans to use the tool to "better measure the risk and assess the preparedness of individual institutions," and then take that information to help develop future supervisory guidance related to cybersecurity.
But that use for the tool was never mentioned when the FFIEC released it last summer. The tool was promoted as being a "voluntary" cybersecurity asset that could help banking institutions self-assess their cybersecurity risk.
Using the tool now as part of examinations is unfair to banks and credit unions because it's obvious that the tool needs some major refinements.
It's critical for the FFIEC to work more closely with the industry to develop a new version of the tool that actually helps banks and credit unions improve their cybersecurity postures. Right now, however, the tool seems more like an unneeded addition of yet another checkbox approach to compliance.