WASHINGTON — Bankers are increasingly concerned that an optional cybersecurity assessment tool released by regulators this summer could soon become mandatory.
The tool was released in June by the Federal Financial Institutions Examination Council as a way for banks to take stock of their preparedness against cyber threats. But because examiners are trained on the use of the tool, bankers have begun to fear that institutions that don't use it could find themselves in regulatory crosshairs.
The industry "fears the banking agencies … will force all financial institutions into one box and ultimately into using only those resources in the tool," Rose Oswald Poels, the president and chief executive of the Wisconsin Bankers Association, wrote in a letter to regulators last month. Institutions "should not be forced to spend hours justifying to examiners" about the use of alternative cybersecurity resources.
Some have urged regulators to refine the tool.
"The sector suggests that the FFIEC treat its Assessment not as a finalized tool for the purposes of immediate regulatory examination (and assessing perceived cybersecurity preparedness), but as an initial version — a Version 1.0," wrote the Financial Services Sector Coordinating Council, which represents a number of financial associations, operators, utilities and exchanges.
That is not to say that bankers are not grateful that the tool exists. Banks and credit unions said that the tool, which was developed after an assessment conducted by more than 500 community banks last year, is useful.
"This tool will be very beneficial to attaining our cybersecurity goals because it gives us not only an existing benchmark of our current structure, the maturity matrix gives us concrete goals to attain," wrote Randall Odenbaugh, vice president of IT at the $150 million-asset Prince George's Community Federal Credit Union.
The tool, which is designed to pair with the National Institute of Standards and Technology Cybersecurity Framework that was in launched in early 2014, is made up of two parts. The first measures an institution's "inherent risk profile" and the second helps determine its "cybersecurity maturity" to describe how advanced its cyberdefenses are. The regulators expect that as an institution's risk profile increases, so will its maturity level.
Some critics said the maturity scale was too rigid at times, however, because it relies on declarative statements that need to be checked off before a firm can move into the next maturity level.
"This does not seem to allow for an organization to have flexibility when maturing its processes or reducing its residual risk," wrote David Pocynek, chief information security officer at the $30 billion-asset Bank of Oklahoma Financial. "The declarative statements were especially prescriptive in their descriptions and yet were open for interpretation."
The maturity level starts at "baseline" and moves up the scale to "evolving," "intermediate," "advanced" and "innovative." Each stage requires a bank to declare if it has implemented certain steps. In the "evolving" stage, for example, institutions are asked to assert that they have "domain name system security extensions deployed across the enterprise."
But Susan Orr, who operates her own consulting firm and worked with several banks on completing the tool, suggested that some of the declarative statements in the lower-maturity rungs might belong higher up the pyramid.
Referring to the statement for domain name system security extensions, or DNSSEC, she asked, "Does this statement need to be in evolving or could it be moved to advanced?"
"Most community banks have no clue what DNSSEC is," she wrote in a letter to regulators.
In an interview, Orr said a number of network security professionals working with the tool also don't know what a DNSSEC is.
In its letter, the coordinating council agreed that the declarative statements should be reevaluated. For instance, the tool says that a risk assessment should be updated before new technologies, products, or services are deployed, but the council said "hardware changes, such as router switching," should "not necessitate a reevaluation of the risk assessment."
Some industry representatives also found the tool to be more elaborate and involved than it needed to be. "The assessment, at over 55 pages, will require a significant amount of time and resources for financial institutions to fully understand," wrote Luke Martone, senior director of advocacy and counsel at the Credit Union National Association. He added that the estimated reporting burden by the regulators is "severely understated."
Poels from the Wisconsin banker group said in an interview that some of its members who have looked at the tool "believe that it goes more in depth and is a deeper dive than what traditional community banks that offer traditional services and delivery methods really need to have."
Doug Johnson, senior vice president and the American Bankers Association and chief adviser on payments and cybersecurity policy, said in an interview the tool does have "fairly elaborate mapping" to the NIST framework. As soon as bankers got a look at the tool, many saw the need to "build a tool on top of the tool" to make it simpler, he said. He said trade groups are collaborating on their own simplified tool.