In a letter to the Federal Financial Institutions Examination Council earlier this month, the ABA and the Bank Policy Institute provided feedback on the FFIEC Cybersecurity Assessment Tool, a voluntary tool developed in 2015. to help financial institutions assess their cyber risk and preparedness. Stressing that the tool should continue to be a voluntary resource, they called on the council to leverage other cybersecurity tools that have been created since the CAT was released, including the Cyber Risk Institute profile, which was created with the assistance of the ABA and the BPI and is continuously updated.
“[L]he CRI profile would provide financial institutions with greater opportunity to minimize the burden of responding to numerous bespoke reviews, as well as provide regulators with greater visibility into systemic risk using a widely adopted assessment of cybersecurity control and assurance that reviewers and financial institutions speak the same language,” the groups wrote. “By basing exams on existing and widely recognized standards, government agencies would be in a better position to hire examiners because more potential candidates are familiar with basic exam expectations.”
They further recommended that the FFIEC encourage examiner training on other global cyber risk assessment standards and frameworks, including the National Institute for Standards and Technology’s Cybersecurity Framework, to which the CRI profile is aligned.