WASHINGTON – The Federal Financial Institutions Examination Council reiterated Monday that its cybersecurity assessment tool is voluntary, despite bankers' fears that not using it could put them in hot water with their examiners.
In a set of 18 questions and answers released by the FFIEC, the interagency group – which counts the Federal Deposit Insurance Corp., Federal Reserve, Office of the Comptroller of the Currency and National Credit Union Administration among its members – clarified some points and stressed that the tool was not a regulatory requirement.
"Does my institution have to use the Assessment? No," said the document. "Use of the assessment by institutions is voluntary."
However, the FFIEC said regulators could make use of the tool in different ways.
"To obtain additional information about a particular FFIEC member's use of the assessment, financial institution management should contact its institution's regulator directly," the document said. "Management of financial institutions and management of third-party service providers are primarily responsible for assessing and mitigating their entities' cybersecurity risk."
The FFIEC also said it would not release an automated version of the tool, but that it would update it based on new threats observed and changes made in the FFIEC's IT handbook.
