Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
By Tom Hinkel In Ask the Guru

Ask the Guru: How Can I Best Determine My Cyber Risk Profile?

Late Night Exam Questions

Hey Guru!

We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified.  Can we draw any conclusions about our average risk and control levels?  For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well.  Can we just average them and conclude that our overall cyber risk levels are minimal?


Towards the end of last year the FFIEC released a Frequently Asked Questions document about the Cybersecurity Assessment Tool, and item #6 directly addressed your question.  The Council stated that “…when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile.”

This would seem to validate the approach of using the average1 of all risk levels to identify your overall risk level.  However, they go on to state that each risk category may pose a different level of risk. “Therefore, in addition to evaluating the number of times an institution selects a specific risk level, management may also consider evaluating whether the specific category poses additional risk that should be factored into the overall assessment of inherent risk.”  This would appear to directly contradict the averaging approach, indicating (correctly, in my opinion) that since all risks are NOT equal, you should NOT determine overall risk based on an average.

For example, let’s say that all of your risks in the Technologies and Connection Types category are in the Least and Minimal level except for Unsecured External Connections, which is at the Moderate level.  So you have 13 items no higher than minimal, and 1 item moderate.  Sounds like an overall minimal level of risk, right?  Except a Moderate level of risk for Unsecured External Connections indicates that you have several (6-10) unsecured connections.  As any IT auditor will tell you, even 1 unsecured connection can be a serious vulnerability!

So although the FFIEC says that “…you may determine…” you’re at one level if the majority of your responses fall within that level, they go on to say you really shouldn’t really draw that conclusion without additional evaluation.

This is just one of many examples of confusing, conflicting, and occasionally misleading elements in the CAT, and a very good reason to have assistance filling it out (shameless plug).

 

1 There are 3 primary ways of defining “average”; mean, mode and median.  If you’ve assigned 1-5 numeric values to the risk levels, we can define average as “mean”.  If we’re assuming average is “mode”, it’s simply the value that occurs most often.  This would appear the way the FFIEC is approaching it.  Regardless how you define “average”, it leads to the same (inaccurate) conclusion.

Print Friendly, PDF & Email

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Print
CAT cybersecurity Cybersecurity Assessment Tool ECAT FFIEC

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Related Articles

  • Looking Ahead to 2021
    A Look Back at 2020 and a Look Ahead to 2021: A Regulatory Compliance Update
  • Ask the Guru – Can We Apply Similar Controls to Satisfy Both GLBA and GDPR
    Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

Leave your comment Cancel Reply

You must be logged in to post a comment.

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright © Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+