CAT – Compliance Guru

16 Jun 2022

Quick Bytes The Safe Systems Compliance Team 0 comment

FFIEC Cancels E-Banking Handbook

On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking. The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment. In effect, the FFIEC is now declaring (admitting?) that these are no longer necessary because all the basic risk management principles that apply to E-Banking are already addressed in other Handbooks. Operational risk is addressed in the Business Continuity Management Handbook, information security risk is addressed in the Information Security Handbook, cyber risk is assessed in the Cybersecurity Assessment Tool, and third-party risk is addressed here, here, and here.

We agree with this approach, and have long held that separately addressing each new emerging or evolving technology was cumbersome, duplicative, and unnecessary. In our opinion, shifting the focus of the handbooks to basic risk management principles and best practices that can apply to all business processes makes more sense and is long overdue. Could the Wholesale and Retail Payment Systems handbooks be phased out next? How about the Cybersecurity Assessment Tool? Since cybersecurity is simply a subset of information security more broadly, could we see a phase-out of a separate cyber assessment? Or even better, could we see the Information Security Handbook include a standardized risks and controls questionnaire that includes cyber?

Admittedly this is only one less policy and one less risk assessment, but we’ll be watching this trend with great interest. Anything that can help ease the burden on overworked compliance folks is a welcome change!

13 Jun 2017

Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Cybersecurity Assessment Tool Update

The FFIEC recently released a long-awaited update to the Cybersecurity Assessment Tool, and we think overall it is a relatively minor but useful evolution. But before we get into the details of what the update does address, it’s important to note that it did not address the ambiguity issues that plague the current assessment. One example…in the Inherent Risk section, there are a plethora of semicolons. Are they supposed to be interpreted as “or” or “and”? Take the question about personal devices being allowed to connect to the corporate network (4th question in the Technologies and Connection Types category).

The minimal risk level states the following:

“Only one device type available; available to <5% of employees (staff, executives, managers); e-mail access only.”

If the semicolons are interpreted as “or,” the statement reads like this:

“Only one device type available OR available to <5% of employees (staff, executives, managers) OR e-mail access only”.

This is considerably different than:

“Only one device type available AND available to <5% of employees (staff, executives, managers) AND e-mail access only”.

Unfortunately, the update did not offer any clarification on this, and as a result we are left to guess what the regulator’s intentions are. Our approach has been to risk-rank each question segment individually. So in the example above, what is the greater risk? The number of device types, the number of employees using them, or what they are allowed to access? We rank the risk of what employees are allowed to access highest, followed by the number of employees accessing, followed by the device types. And this is just one example, 18 of the 39 inherent risk questions require this type of interpretive challenge, and correct interpretation is absolutely critical, because your gap analysis and subsequent cyber action plan depend on an accurate inherent risk assessment.

Appendix A

However, the FFIEC CAT update does impact 2 areas; the first is a more detailed cross-reference in Appendix A mapping the baseline statements to the 2 recently released IT Handbooks (Management and Information Security), and the second will give most FI’s more flexibility when evaluating declarative statements.

First, the changes to Appendix A. Compare the original Risk Management/Audit section…

Risk Management/Risk Assessment: The risk assessment is updated to address new technologies, products, services, and connections before deployment.

Source: IS.B.13: Risk assessments should be updated as new information affecting information security risks is identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change, or configuration change). IS.WP.I.3.3: Determine the adequacy of the risk assessment process.
* Information Security, E-Banking, Management, Wholesale Payments

…with the updated section:

Risk Management/Risk Assessment: The risk assessment is updated to address new technologies, products, services, and connections before deployment.

Source: IS.II.A: pg7: External events affecting IT and the institution’s ability to meet its operating objectives include natural disasters, cyber attacks, changes in market conditions, new competitors, new technologies, litigation, and new laws or regulations. These events pose risks and opportunities, and the institution should factor them into the risk identification process.

IS.II.C:pg11: Additionally, management should develop, maintain, and update a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments and provide updates to senior management and the board on cyber risk trends.

IS.WP.8.3.d: Determine whether management has effective threat identification and assessment processes, including the following: Using threat knowledge to drive risk assessment and response.

This more detailed and expanded set of cross-refences will be useful for both institutions and consultants as they navigate their way through this interpretive minefield.

However, this could be the most significant change:

“The updated Assessment will also provide additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” (Emphasis added)

It took us a while to find how this one was implemented because we were looking for a whole new section, but all the FFIEC has done is add a third option to your response to the declarative statements in the Control Maturity section. Prior to this update, you could only answer either “Y” or “N”. Now there is a third option; “Y(C)”, or Yes with Compensating Controls:

CAT Yes/No Controls

The FFIEC defines a Compensating Control as:

“A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.”

Essentially what this means is now institutions will be able to document adherence to a declarative statement using either direct off-set (primary) controls, or alternative compensating controls, IF they are able to properly identify them. Because these controls are “in lieu of” recommended controls, they are necessarily more difficult to identify and document, much more so than a primary control.

That said, having a way for institutions to document their adherence to a particular declarative statement using either direct or compensating controls is a significant improvement, and should ultimately result in more declarative statements being marked as achieved. Be careful though, although we haven’t seen any IT exams since the update, a “Y(C)” response may very well prompt additional regulatory scrutiny precisely because it requires more documentation.

Safe Systems has assisted almost 100 customers through the CAT so far, helping to document their responses, producing stakeholder reports, and crafting action plans. Let us know if we can help you.

21 Mar 2017

Ask the Guru Tom Hinkel 0 comment

Ask the Guru: How Can I Best Determine My Cyber Risk Profile?

Hey Guru!

We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified. Can we draw any conclusions about our average risk and control levels? For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well. Can we just average them and conclude that our overall cyber risk levels are minimal?

Towards the end of last year the FFIEC released a Frequently Asked Questions document about the Cybersecurity Assessment Tool, and item #6 directly addressed your question. The Council stated that “…when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile.”

This would seem to validate the approach of using the average¹ of all risk levels to identify your overall risk level. However, they go on to state that each risk category may pose a different level of risk. “Therefore, in addition to evaluating the number of times an institution selects a specific risk level, management may also consider evaluating whether the specific category poses additional risk that should be factored into the overall assessment of inherent risk.” This would appear to directly contradict the averaging approach, indicating (correctly, in my opinion) that since all risks are NOT equal, you should NOT determine overall risk based on an average.

For example, let’s say that all of your risks in the Technologies and Connection Types category are in the Least and Minimal level except for Unsecured External Connections, which is at the Moderate level. So you have 13 items no higher than minimal, and 1 item moderate. Sounds like an overall minimal level of risk, right? Except a Moderate level of risk for Unsecured External Connections indicates that you have several (6-10) unsecured connections. As any IT auditor will tell you, even 1 unsecured connection can be a serious vulnerability!

So although the FFIEC says that “…you may determine…” you’re at one level if the majority of your responses fall within that level, they go on to say you really shouldn’t really draw that conclusion without additional evaluation.

This is just one of many examples of confusing, conflicting, and occasionally misleading elements in the CAT, and a very good reason to have assistance filling it out (shameless plug).

¹ There are 3 primary ways of defining “average”; mean, mode and median. If you’ve assigned 1-5 numeric values to the risk levels, we can define average as “mean”. If we’re assuming average is “mode”, it’s simply the value that occurs most often. This would appear the way the FFIEC is approaching it. Regardless how you define “average”, it leads to the same (inaccurate) conclusion.