Going Beyond FFIEC: How the Banking Industry Can Step Up Security Assessments

This article was originally published in the Open Forum of the ISSA Journal for September 2019.

The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the author's and do not reflect the position of the ISSA, ISSA Journal, or the Editorial Advisory Board.

Measuring and understanding security risk isn’t simple, especially for financial institutions. Much of the data available for analysis is qualitative, making it difficult to analyze in the exceedingly quantitative world of finance. Because of the complexity involved, a thorough risk assessment needs to be carried out holistically, not just within the structural boundaries of the FFIEC (Federal Financial Institutions Examination Council) protocols. When financial organizations go beyond these basic requirements to evaluate risk, there is a significant opportunity to improve overall outcomes and achieve proper security posture. 

Here’s what financial institutions can do in order to step up their IT security risk assessments.

Start with the guidance, but don’t end there

All banks have to adhere to the FFIEC standards, a framework of “things to do” specific to financial institutions. Building off of this framework is the FFIEC Cybersecurity Assessment Tool which can – and should – be used as a basic guide for evaluating risk. It was developed to help institutions identify possible vulnerabilities and determine their cybersecurity preparedness. Additionally, the framework is generally very useful in that it provides financial institutions with a repeatable, measurable process for assessing cybersecurity risks over time.

However, this framework only shows stakeholders a limited view of the company’s overall security health. There was a time when following the spreadsheet and FFIEC best practices was considered to be sufficient. Today, with banks being one of the top targets for cyber criminals, this framework is simply not enough to protect customer data. The basic “yes/no” nature of the guidance is too informal to legitimately address the subjective nature of a security program. We need to really utilize this framework as a place to start in terms of evaluating risk. Without deeper analysis, the answers from the FFIEC assessment tool could never holistically determine a financial institution’s security posture. 

Use scenario-based events

The FFIEC tool helps test against basic industry standards, while scenario-based events help to test against the current, focused threats most likely to be faced. When reviewed in tandem, you’ll have a much clearer analysis of risk.

It is enormously helpful to come up with a list of possible security events, based on real use cases, to help determine risk both quantitatively and qualitatively. Here’s an example that I often see played out: The bank’s head of risk issues the FFIEC Cyber Assessment Tool to their IT security team to complete, who then determines that they’ve adequately followed the standards based on the yes/no questions. When pressed to answer qualitatives—more than just yes or no—we learn that they have little in the way of data documentation to prove their answers. These are the banks that fail to meet compliance when regulators come in to evaluate. This isn’t just a failed test, but could turn out to be a disaster in terms of planned mergers and acquisitions, resources, cost, and reputation. 

Which is why the right next step is to perform a scenario-based risk assessment within your environment, using both current and potential attack scenarios, risks, and breaches. A simulation based on probabilities should be done for every potential (or real) threat that you’ve identified. By going through this process, not only will your financial institution have greater awareness of likely threats, but also a better understanding of the impacts and likelihood associated with each.

From there, recommendations, short term and long term, are created to deal with vulnerabilities and weaknesses. Having a tangible, workable plan that’s based on the FFIEC standards and real threats has a number of benefits. From reducing costs to drastically reducing risk, the recommendations that come from scenario-based assessments show stakeholders that consumer protection is truly one of your top concerns. 

Aim for both short and long-term benefits

Your board and the C-suite may be pressuring you for metrics and recommendations based on your most recent FFIEC assessment, but they don’t really mean anything if they’re not in the context of a security plan tied to specific company objectives and current attack scenarios. 

As the security leader, you may be looking at your assessments as tools to root out vulnerabilities and fend off breaches. Like the FFIEC guidance, this is just part of the big picture. Your executives and board are looking at brand risk, costs, and resource allocation. When you expand your assessment to be more holistic and thorough, you find opportunities to show short term (threat deflection) and long term (cost savings, reputation) benefits.

A detailed and contextually-relevant picture of security posture is needed to achieve an outcome-based plan. Unlike traditional audits, this requires a deep dive review, including an effectiveness score for each FFIEC yes/no statement, to help prioritize the different areas of the security program. 

Without the right information, your exposure to risk might greatly exceed what you think it is, leaving you at a major disadvantage against hackers. What’s more, organizational decisions related to overall risk management are misinformed. It will be difficult to allocate adequate resources toward protecting your assets to achieve a proper security posture.

Going beyond the FFIEC standards and performing a threat-informed cyber risk assessment allows your organization to not only quantify your cybersecurity risk in terms of fiscal value, but also prioritize and target precise areas with the greatest loss potential. From a clearer understanding of security posture, to better-informed decision making regarding risk, there are significant benefits to looking beyond industry standards for security risk assessment. 

Gregory Smith is a Senior Risk Advisor with Alagen cybersecurity solutions. He is an accomplished consultant with over 30 years in financial services, cybersecurity and information technology consulting. Greg is also the author of our Integrating IT Risk into Enterprise Risk Management for Financial Institutions white paper.