The U.S. federal government is soliciting thoughts on the cybersecurity assessment tool used by the Federal Financial Institutions Examination Council.
The governmental interagency body of all five banking regulators in 2015 introduced the tool as an ostensibly voluntary way for banks and credit unions to self-assess exposure to risk and the maturity of their cybersecurity program. The FFIEC appreciates “the benefits of using a standardized approach to assess and improve cybersecurity preparedness,” as an August 2019 statement from the National Credit Union Administration underlined.
Financial services continue to be the target of severe cyberattacks, with data from consultancy Accenture showing the per-company cost of cybercrime reaching more than $18 million for sector companies.
In a notice set for publication by the Office of the Comptroller of the Currency, FFIEC members say they want information that will “enhance the quality, utility, and clarity of the information to be collected.” It also asks for ways to minimize the burden of filling out the assessment, as well as whether its estimate of 90 hours on average to complete the assessment is accurate.
One thing the council will not do, the notice says, is report any public information based on analysis of anonymized contents of the assessment tool, despite a suggestion