The growing threat to cybersecurity has prompted the Federal Financial Institutions Examination Council (FFIEC) to develop a Cybersecurity Assessment Tool for banking institutions to assess their risks and cybersecurity readiness. The assessment is made up of two parts: Inherent Risk Profile and Cybersecurity Maturity.
The first part of the assessments is the Inherent Risk Profile, which recognizes the types of activities, services, and products which may pose a threat and matches it to it a risk level. The following is the classification of the activities, services, and products into categories.
Technologies and Connection Types: Depending on the complexity and maturity, some technologies and connections have a greater inherent risk, such as cloud commuting, open source software, or wireless network access.
Delivery Channels: As the number of delivery channels increase in an institution, so does the inherent risk. This addresses if products or services are found through an online presence (customer), mobile presences, and ATM machines.
Online/Mobile Products and Technology Services: This can include payment methods like debit and credit cards, person to person payments, wholesale payments, wire transfers, global remittances, trust services, merchant remote deposit capture, or treasury services. Depending on the nature of the product and technology offered, different inherit risks are assigned.
Organizational Characteristics: This can include Mergers and acquisitions, changes in the information technology environment, locations of business presence, locations of operations and data center, or the number of users with privileged access.
External Threats: This includes the volume and sophistication of attacks that target an institution.
The risk levels range from Least Inherent Risk to Most Inherent Risk, providing the ability to establish the inherent risk in each category. The number of applicable statements in each risk level help measure the institution’s overall inherent risk profile. The inherent risk may differ within each category, so the institution should evaluate the number of instances for specific risk levels and assess the specific category for risk.
The Risk Levels include:
1. Least Inherent Risk
The banking institution is small with few employees and little use of technology, with some computers, applications, and connections.
2. Minimal Inherent Risk
The banking institution uses a limited variety of complex technologies, products and services, and outsources its mission-critical systems. There are a few types of connections to customers and third parties that are maintained with little complexity.
3. Moderate Inherent Risk
The banking institution uses moderately complex technology regarding quantity and sophistication. There is a possibility the mission-critical systems and applications are outsourced, and it is probable they support elements from the inside. An extensive array of products and services are also offered through diverse channels.
4. Significant Inherent Risk
The banking institution uses complex technology offering high-risk products and services, possibly using new technologies and hosting a large amount of applications internally. The institution allows the use of a considerable number of personal devices or device types. It also manages a significant number of connections to customers and third parties and offers a variety of payment services to a third party.
5. Most Inherent Risk
The banking institution uses very complex technologies to distribute many products and services, which are at the highest risk, including those offered to other enterprises. These emerging technologies are used throughout the delivery channels. Most mission-critical systems and applications are hosted internally, but a few may be outsourced. A great number of connection types used to transfer data to customers and third parties are managed by the institution.
