Well-intentioned organizations trying to implement cybersecurity best practices can quickly become discouraged by the ocean of rules, guidance, and standards. The National Institute of Science and Technology (“NIST”), the Federal Financial Institutions Examination Council (“FFIEC”), National Association of Insurance Commissioners (“NAIC”), and the New York Department of Financial Services (“NYDFS”), to name a few, all have cybersecurity rules and guidance. While many of the recommendations and requirements among this alphabet soup of agencies overlap each other, implementation can still be daunting.
The NIST framework is comprehensive and detailed. The FFIEC provides a useful assessment tool for financial intuitions, and it maps its recommendations to the NIST framework. The NAIC model law, which this blog recently discussed in relation to the NYDFS guidance, requires organizations to conduct a risk assessment, but leaves it up to the organization to select the tool.
In October 2018, the Financial Services Sector Coordinating Council (“FSSCC”) published a synthesis of these standards into a single assessment tool. The tool is an attempt to bring harmony to what are often similar standards that use slightly different language.
The tool helpfully distinguishes between different tiers of financial institutions. Tier 1 national institutions are critical infrastructure, so it applies to the largest financial institutions in the country. Tier 2 institutions have the ability to cause a substantial national financial issue, but are not large enough to be deemed critical. Tier 3 institutions have a high degree of interconnectedness with certain sectors. Finally, tier 4 institutions have fewer than 1 million customers. Most community banks will be tier 4 institutions.
Based on the institution’s classification, the analysis tool tailors the results to the institution’s needs. This provides institutions with a useful pre-exam assessment to help identify areas that might be of concern to regulators, as well as identify possible deficiencies in the organization’s cybersecurity preparedness. Even non-financial institutions can benefit from use of the FSSCC tool, because it is mapped to the NIST framework.
With the dizzying array of cybersecurity recommendations and standards available, many organizations fall victim to a “check the box” mentality to satisfy a regulator or meet a standard. However, cybersecurity depends on organizations doing an analysis of their specific risk profile, and tailoring their cybersecurity defenses accordingly. Finding a workable assessment tool that makes sense for a particular organization can go a long way toward helping that organization reduce the risk of a cybersecurity incident. That, after all, is the real goal of cybersecurity planning.