March 6, 2017 by

FFIEC Risk Profile

The growing threat to cybersecurity has prompted the Federal Financial Institutions Examination Council (FFIEC) to develop a Cybersecurity Assessment Tool for banking institutions to assess their risks and cybersecurity readiness. The assessment is made up of two parts: Inherent Risk Profile and Cybersecurity Maturity.

The first part of the assessments is the Inherent Risk Profile, which recognizes the types of activities, services, and products which may pose a threat and matches it to it a risk level. The following is the classification of the activities, services, and products into categories.

Technologies and Connection Types: Depending on the complexity and maturity, some technologies and connections have a greater inherent risk, such as cloud commuting, open source software, or wireless network access.

Delivery Channels: As the number of delivery channels increase in an institution, so does the inherent risk. This addresses if products or services are found through an online presence (customer), mobile presences, and ATM machines.

Online/Mobile Products and Technology Services: This can include payment methods like debit and credit cards, person to person payments, wholesale payments, wire transfers, global remittances, trust services, merchant remote deposit capture, or treasury services. Depending on the nature of the product and technology offered, different inherit risks are assigned.

Organizational Characteristics: This can include Mergers and acquisitions, changes in the information technology environment, locations of business presence, locations of operations and data center, or the number of users with privileged access.

External Threats: This includes the volume and sophistication of attacks that target an institution.

The risk levels range from Least Inherent Risk to Most Inherent Risk, providing the ability to establish the inherent risk in each category. The number of applicable statements in each risk level help measure the institution’s overall inherent risk profile. The inherent risk may differ within each category, so the institution should evaluate the number of instances for specific risk levels and assess the specific category for risk.

The Risk Levels include:

      1. Least Inherent Risk

The banking institution is small with few employees and little use of technology, with some computers, applications, and connections.

      2. Minimal Inherent Risk

The banking institution uses a limited variety of complex technologies, products and services, and outsources its mission-critical systems. There are a few types of connections to customers and third parties that are maintained with little complexity.

       3. Moderate Inherent Risk

The banking institution uses moderately complex technology regarding quantity and sophistication. There is a possibility the mission-critical systems and applications are outsourced, and it is probable they support elements from the inside. An extensive array of products and services are also offered through diverse channels.

       4. Significant Inherent Risk

The banking institution uses complex technology offering high-risk products and services, possibly using new technologies and hosting a large amount of applications internally. The institution allows the use of a considerable number of personal devices or device types. It also manages a significant number of connections to customers and third parties and offers a variety of payment services to a third party.

      5. Most Inherent Risk

The banking institution uses very complex technologies to distribute many products and services, which are at the highest risk, including those offered to other enterprises. These emerging technologies are used throughout the delivery channels. Most mission-critical systems and applications are hosted internally, but a few may be outsourced. A great number of connection types used to transfer data to customers and third parties are managed by the institution.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Mapping the Cybersecurity Assessment Tool to the NIST Framework

In 2015, the Federal Financial Institutions Examination Council (FFIEC), an interagency body under...

Read more arrow_forward

FFIEC Cybersecurity Assessment Tool Maturity Level

The Cybersecurity Assessment Tool or Assessment has been issued by The Federal Financial...

Read more arrow_forward

US Government Banking Council Releases Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC), a formal government interagency body...

Read more arrow_forward