FAQs look at cybersecurity assessment tool

Oct. 17, 2011 -- A guide to “frequently asked questions (FAQ)” about the Cybersecurity Assessment Tool developed by the FFIEC (and to be incorporated into NCUA exams) was released today, which answers question and clarifies points in the tool based on questions received over the past year.

In a release, the FFIEC stated that its members (NCUA, OCC, CFPB, FDIC, Federal Reserve and the State Liaison Committee) “developed the Assessment to help financial institutions’ management determine their risk profile and determine the institutions’ inherent risks and cybersecurity preparedness.” The FFIEC stated that the Assessment provides a “repeatable and measurable process that financial institutions’ management may use to measure their cybersecurity preparedness over time.”

The release noted that use of the tool is voluntary; financial institution management may choose to use the Assessment or another framework, or another risk assessment process to identify inherent risk and cybersecurity preparedness.

NCUA spokespeople have reiterated several times that the agency is not mandating use of the tool. Rather, the tool is incorporated into the agency’s exam approach – and the agency will expect credit unions to be performing some sort of cybersecurity assessment, using the FFIEC tool or some other appropriate instrument.

FFIEC FAQs regarding Cybersecurity Assessment Tool (CAT)