In June 2015, the Federal Financial Institutions Examinations Council published a voluntary Cybersecurity Assessment Tool to help credit unions and other institutions identify their risks and determine their cybersecurity preparedness.

The tool, found here, comprises two main parts:

1. A survey tool to help the credit union determine its inherent risk profile (from least risky to most risky); and

2. A cybersecurity maturity tool that provides detailed recommendations in many operational areas, each of which differ by an inherent risk profile level that can be compared to current credit union policies and practices.

To assist with implementation, the tool is accompanied by detailed supporting educational materials for directors and boards, and a user guide. It provides a useful addition to the cybersecurity resources available to credit unions, as well as non-credit union banks and similar financial businesses. However, the tool also poses implementation challenges that should be given close consideration before a credit union makes use of it.

Survey Tool

On the positive side, institutions should strongly consider using the Survey Tool to determine their respective inherent risk profile. The risk profile analyzes key factors, such as:

• Types of technologies used and numbers of internet connections;
• Types of financial systems at issue (e.g., customer-facing websites, ATMs, mobile banking);
• Types of financial services offered (e.g., wire transfers, trust services, inter-bank and global transfers);
• Organizational factors (e.g., locations of branches, offices, data centers and extent of involvement in past or future mergers);
• The number of employee and third-party vendor connections to internal systems; and
• Extent of past cyberattack activities.

Based on the responses, the credit union will receive a score on a five-point scale from least to most risky on each assessed element, and can then use the data points to develop an overall risk profile. A medium or high-risk risk profile score should prompt directors to schedule a review of their institution’s current cybersecurity protections, to the extent not performed recently.

Cybersecurity Maturity Tool

This serves as an additional positive component to the assessment tool, as it identifies numerous, highly prescriptive, recommended measures to address various risk factors. Credit unions can use these measures to plan for full or staged implementation over a multi-year period, whether used by in-house resources, an experienced third-party cybersecurity vendor or consultant, or both.

The cybersecurity maturity tool sets a high bar on cybersecurity protections for all credit unions.  For example, even the lowest maturity level (i.e., the so-called baseline) would require participating, presumably lower risk, credit unions to:

• Discuss cyber risks at board meetings when prompted by high profile occurrences nationwide;
• Develop a written management report on the overall status of the information security and business continuity programs at least annually;
• Expressly consider information security-related expenses and tools in the annual budgeting process;
• Develop and maintain an information security strategy that integrates technology, policies, procedures and training to mitigate risk;
• Develop and maintain policies commensurate with the institution’s risk and complexity in the specific areas of information technology risk management, threat information sharing, information security, third-party management, and incident response and resilience;
• Maintain an inventory of organizational assets (e.g., hardware, software, data and systems hosted externally), prioritized for protection and with particular staff members identified as accountable for each asset;
• Complete a risk assessment of each of several key factors;
• Complete an independent security audit that includes several key factors; and
• Conduct regular, not less than annual, employee training.

Higher levels – identified as evolving, intermediate, advanced, and innovative – include increasingly enhanced implementation measures.

All of these measures specified by maturity levels include reasonable, rational suggestions that should serve as a roadmap to good cyberhealth for any credit union, both individually and collectively.

Implementation Challenges

Notwithstanding the evident utility of the tool, its apparent use by regulators poses significant challenges for credit unions that should be clarified, if possible, before the credit union uses them. Although the FFIEC recommendations are supposed to be voluntary, credit unions and associations have seen indications that federal and state regulatory examiners are using its “high bar” protections to establish new, state-of-the-art benchmarks against which risk-based security programs will be judged during audits. This apparent misuse poses a host of implementation challenges for credit unions, including:

• Whether credit unions should hold off on significant use of the tool, pending guidance from examiners regarding which provisions are strongly recommended and which are disfavored;
• Whether examiners will permit partial or staged use of the tool or whether they will either support or even require implementation of all measures at a given risk level; and
• Whether credit unions will face increased risk of actions by plaintiffs’ lawyers if they use the tool or, conversely, not use it.

Credit unions have emphasized that either the Tool should remain fully voluntary or that the FFIEC should make changes to render it more reasonable for use in a regulatory context. The FFIEC has been reviewing the tool’s use and held a workshop on April 7, 2016 to solicit feedback. The hope is that federal and state regulators will provide guidance regarding the expectation of the voluntary standards in the tool to be treated as required and, if so, through which timeline. The standards in the tool are rigorous, and it may well be in the interest of credit unions to implement them over a multi-year period according to priority, if permitted by regulators.

Robert J. Munnelly, Jr. is a shareholder practicing in the Regulatory and Administrative Law area at Davis, Malm & D’Agostine, P.C. He can be reached at 617-589-3822 or [email protected].