Garnet Capital Advisors Blog

A banking cybersecurity assessment tool launched this summer by a federal interagency body has sparked worries that the "optional" protocols are becoming anything but voluntary.

It was in June that the Federal Financial Institutions Examination Council made the new assessment tool available. The aim of the detailed protocol was to "help institutions identify their risks and assess their cybersecurity preparedness," the FFIEC said in announcing the tool.

The FFIEC cybersecurity assessment aims to address a monumental task for banks: keeping data safe in an era of increasingly sophisticated cyberattacks. While data breaches are rare at banks, their consequences can be devastating. It's estimated that the fallout from a 2014 breach at the nation's largest bank, JPMorgan Chase, could reach $1 billion.

Risk profiles and 'maturity levels'
The 57-page assessment walks banks through creating an "inherent risk profile" to give a baseline on current vulnerabilities on a five-part scale from least risk to most risk. The second part of the protocol leads bankers to place their institutions in one of five "maturity levels" that describe the bank's disposition in five areas of security. The five levels run from "baseline" through "evolving" to the highest category of "innovative." Security areas include "threat intelligence and collaboration" and "cyber incident management and resilience."

Comptroller of the Currency Thomas Curry recently lauded the usefulness of the cybersecurity tool to Frank Keating, president and CEO of the American Bankers Association.

"One of the most important changes that I have observed since becoming comptroller is that cybersecurity has become a topic for the boardroom," Curry said in a question-and-answer interview with Keating. "It's not just a job for the technology team anymore. It's a job for management, and more than that, it's everyone's responsibility. The FFIEC Cybersecurity Assessment Tool supports the industry by giving banks and thrifts a systematic way to assess their cybersecurity readiness and evaluate their progress."

Putting all banks in one box?
But American Banker reports misgivings among institutions who see the limits of the protocol in the rapidly-evolving field of bank cybersecurity.

In a letter to regulators, Rose Oswald Poels, president and CEO of the Wisconsin Bankers Association, wrote that the industry "fears the banking agencies … will force all financial institutions into one box and ultimately into using only those resources in the tool."

If bank examiners rely only on the assessment tool, Poels wrote, financial institutions "should not be forced to spend hours justifying to examiners" if they happen to be using other resources that are as valid or more valid to securing sensitive data.

There's also a concern that yet another set of detailed responses - even though they are not requirements like so many new rules the industry is digesting - add unreasonably to reporting burdens. 

"The assessment, at over 55 pages, will require a significant amount of time and resources for financial institutions to fully understand," Luke Martone, senior director of advocacy and counsel at the Credit Union National Association wrote in a letter quoted by American Banker.

Adds to Dodd-Frank burdens
A key challenge for bankers in recent years has been navigating the rapidly-changing regulatory environment. The Dodd-Frank Act, forged in the aftermath of the financial crisis, has added extensive reporting regulations that are being put into effect - at varying rates of speed - by entities like the Consumer Financial Protection Bureau.

Regulators have pledged to keep updating the assessment, which they piloted at more than 500 financial institutions in 2014. The current cybersecurity assessment is marked as expiring in December.

Banks are continually facing challenges, be they from the shifting regulatory landscape or interest rate policy. Any questions or concerns can be discussed with loan sale advisory firm Garnet Capital Advisors.