WASHINGTON—A cybersecurity assessment tool designed to help credit unions and banks bolster their defenses against hackers and other cybercriminals is continuing to sow confusion among financial institutions, with some arguing it is effectively imposing tougher standards on the industry.
Since its release in June by the Federal Financial Institutions Examination Council, regulators have insisted the tool is purely voluntary. But some state regulators have strongly urged FIs to incorporate it into their risk and preparedness self-evaluations, feeding concerns that the guidelines are mandatory in all but name.
"Everybody understands there's sort of quotes around voluntary," said Kevin Petrasic, a banking industry lawyer and former official at the Office of Thrift Supervision. "The last thing you want to have is a warning shot fired by the examiner that the bank doesn't heed."
A
Within a few weeks, Massachusetts's
Banks and credit unions further worry that some influential states might be leading the way on tougher cybersecurity standards, prompting others to follow suit, whether or not they possess enough resources to enforce those measures.
In November, the New York State Department of Financial Services
"Whatever New York does will have a ripple effect," said Lynne Barr, a partner in Goodwin Procter's financial institutions group.
But that could be a bad thing, she argued.
"I don't think by and large that states have the expertise or the resources to really be on top of cybersecurity threats the way that central regulators do," Barr said.
The tool is made up of two parts. The first measures an institution's "inherent risk profile" and the second helps determine its "cybersecurity maturity" to describe how advanced its cyberdefenses are. The regulators expect that as an institution's risk profile increases, so will its maturity level.
It was drawn in part from exam protocol. For companies at the "baseline' risk level, the guidelines are derived from requirements contained in FFIEC examiners' IT handbook.
This has fueled concerns that the tool might be used in examinations, either formally or as an additional resource for examiners.
But regulators have reiterated that the tool, which was initially piloted among more than 500 community banks, is only meant for use on a voluntary basis by banks wishing to assess their cybersecurity preparedness more holistically.
"However, if a financial institution has completed an assessment [using the tool], examiners may ask the financial institution for a copy, as they would for any risk self-assessment performed by the financial institution," the OCC added.
Yet how regulators use the tool varies among agencies.
While the OCC
It "is a voluntary tool," said Rockhelle Johnson, the senior manager of communications at the Conference of State Banking Supervisors, an FFIEC member. "Each agency is using it in their examination process as appropriate."
Johnson added that the guidelines are not meant to be set in stone. "The FFIEC is committed to evaluate feedback that comes in and keep the tool updated," she said.
The FFIEC tool reproduces in part the National Institute of Standards and Technology cybersecurity framework, and was developed with input from NIST experts.
Credit unions are showing preference for the FFIEC's tool over the NIST framework. In a Feb. 3 letter to NIST, the National Association of Federal Credit Unions urged the agency to "maintain the voluntary structure" of the framework. NAFCU encouraged NIST to "carefully study the framework adopted in the [FFIEC cybersecurity assessment tool] and ensure that the revised NIST framework follow a similar approach."
Community banks, meanwhile, have been using the tool to tighten their standards, expecting it might come up during exams.
"I like the fact that this is pretty comprehensive," said Greg Bullock, the vice-president and IT manager at the $128 million-asset Metro Phoenix Bank in Arizona. "I've used it to fill in the gaps in our own program."
For his part, Bullock said, "I actually don't mind it being mandatory… Smaller institutions are sometimes reluctant to do something if they don't have to do it."
But one aspect of the test could actually reduce incentives to improve cybersecurity preparedness, Bullock warned. To reach a level of cybersecurity "maturity" in the tool, a bank has to satisfy a number of requirements in five separate domains.
"If you don't have all the items listed in one level of maturity, that's the maturity you're stuck at," he said. As a result, banks "might not be as ready to consider implementing [policies to reach a higher level]."
Some community banks are also complaining that the tool could be cost-prohibitive on institutions with limited resources.
"Bear in mind that we must wear several hats in a small bank and that distracts from completing just one task, like completing the tool," said Clark A. Hervert, vice-president at the $133 million-asset First National Bank in Ord, Neb., in a Jan. 8 comment letter to the FFIEC.
Large banks that are typically more advanced in their cybersecurity practice have expressed different concerns about the tool. They are asking for more conformity between it and guidelines directed at firms in other industries.
But banks argue that differences between the FFIEC's tool and the NIST system could create a rift in cybersecurity standards between the financial industry and companies that service it.
By creating a closer mapping of the FFIEC to the NIST framework, regulators could "ensure that our critical third party providers adhere to the same cybersecurity requirements as we do," said Doug Johnson, the vice president and senior advisor of risk management policy at the American Bankers Association.
"Think of it as ornaments on a Christmas tree. The Christmas tree has a level of stability to it, but individual sectors have different ornaments," said Johnson. "So that we have as much commonality as possible as opposed to have complete disparity."
