In June 2015, the Federal FinancialInstitutions Examinations Council published a voluntaryCybersecurity Assessment Tool to help credit unions and otherinstitutions identify their risks and determine their cybersecuritypreparedness.

The tool, found here, comprisestwo main parts:

1. A survey tool to help the credit union determine its inherentrisk profile (from least risky to most risky); and

2. A cybersecurity maturity tool that provides detailedrecommendations in many operational areas, each of which differ byan inherent risk profile level that can be compared to currentcredit union policies and practices.

To assist with implementation, the tool is accompanied bydetailed supporting educational materials for directors and boards,and a user guide. It provides a useful addition to thecybersecurity resources available to credit unions, as well asnon-credit union banks and similar financial businesses. However,the tool also poses implementation challenges that should be givenclose consideration before a credit union makes use of it.

Survey Tool

On the positive side, institutions should strongly considerusing the Survey Tool to determine their respective inherent riskprofile. The risk profile analyzes key factors, such as:

• Types of technologies used and numbers of internetconnections;
• Types of financial systems at issue (e.g., customer-facingwebsites, ATMs, mobile banking);
• Types of financial services offered (e.g., wire transfers,trust services, inter-bank and global transfers);
• Organizational factors (e.g., locations of branches, offices,data centers and extent of involvement in past or futuremergers);
• The number of employee and third-party vendor connections tointernal systems; and
• Extent of past cyberattack activities.

Based on the responses, the credit union will receive a score ona five-point scale from least to most risky on each assessedelement, and can then use the data points to develop an overallrisk profile. A medium or high-risk risk profile score shouldprompt directors to schedule a review of their institution’scurrent cybersecurity protections, to the extent not performedrecently.

Cybersecurity Maturity Tool

This serves as an additional positive component to theassessment tool, as it identifies numerous, highly prescriptive,recommended measures to address various risk factors. Credit unionscan use these measures to plan for full or staged implementationover a multi-year period, whether used by in-house resources, anexperienced third-party cybersecurity vendor or consultant, orboth.

The cybersecurity maturity tool sets a high bar on cybersecurityprotections for all credit unions. For example, even thelowest maturity level (i.e., the so-called baseline) would requireparticipating, presumably lower risk, credit unions to:

• Discuss cyber risks at board meetings when prompted by highprofile occurrences nationwide;
• Develop a written management report on the overall status ofthe information security and business continuity programs at leastannually;
• Expressly consider information security-related expenses andtools in the annual budgeting process;
• Develop and maintain an information security strategy thatintegrates technology, policies, procedures and training tomitigate risk;
• Develop and maintain policies commensurate with theinstitution’s risk and complexity in the specific areas ofinformation technology risk management, threat information sharing,information security, third-party management, and incident responseand resilience;
• Maintain an inventory of organizational assets (e.g., hardware,software, data and systems hosted externally), prioritized forprotection and with particular staff members identified asaccountable for each asset;
• Complete a risk assessment of each of several key factors;
• Complete an independent security audit that includes severalkey factors; and
• Conduct regular, not less than annual, employee training.

Higher levels – identified as evolving, intermediate, advanced,and innovative – include increasingly enhanced implementationmeasures.

All of these measures specified by maturity levels includereasonable, rational suggestions that should serve as a roadmap togood cyberhealth for any credit union, both individually andcollectively.

Implementation Challenges

Notwithstanding the evident utility of the tool, its apparentuse by regulators poses significant challenges for credit unionsthat should be clarified, if possible, before the credit union usesthem. Although the FFIEC recommendations are supposed to bevoluntary, credit unions and associations have seen indicationsthat federal and state regulatory examiners are using its “highbar” protections to establish new, state-of-the-art benchmarksagainst which risk-based security programs will be judged duringaudits. This apparent misuse poses a host of implementationchallenges for credit unions, including:

• Whether credit unions should hold off on significant use of thetool, pending guidance from examiners regarding which provisionsare strongly recommended and which are disfavored;
• Whether examiners will permit partial or staged use of the toolor whether they will either support or even require implementationof all measures at a given risk level; and
• Whether credit unions will face increased risk of actions byplaintiffs’ lawyers if they use the tool or, conversely, not useit.

Credit unions have emphasized that either the Tool should remainfully voluntary or that the FFIEC should make changes to render itmore reasonable for use in a regulatory context. The FFIEC has beenreviewing the tool’s use and held a workshop on April 7, 2016 tosolicit feedback. The hope is that federal and state regulatorswill provide guidance regarding the expectation of the voluntarystandards in the tool to be treated as required and, if so, throughwhich timeline. The standards in the tool are rigorous, and it maywell be in the interest of credit unions to implement them over amulti-year period according to priority, if permitted byregulators.

Robert J. Munnelly, Jr. is a shareholder practicing in theRegulatory and Administrative Law area at Davis, Malm &D’Agostine, P.C. He can be reached at 617-589-3822 [email protected].