In May of 2017, the FFIEC put out a Cybersecurity Assessment Tool to help Financial Institutions assess and improve their Cyber Security environment. This has become an area of increasing concern for most institutions, and with the recently released statement the FFIEC put out in April 2018 on Cyber Insurance, regulators are becoming more concerned as well.
These types of assessment tools are very helpful for any business. They help us to assess the environment in which we operate and determine our capabilities to effectively and safely operate in these environments.
In a recent article I wrote about how important it is that institutions look at having dedicated Risk Managers be part of their organization. As the environments in which we operate continue to become more complex, the burdens placed on the executive team continue to become more difficult to manage. Whether it is someone within the organization or a third-party consultant, there needs to be someone involved in helping the executive team and board understand the environment in which they are operating.
As technology evolves and our reliance upon it increases, the need to understand the inherent risks associated with it are increasing. To effectively manage risk, our exposures have to be understood. We cannot protect ourselves unless we know what to protect ourselves from. Resources such as the Cybersecurity Assessment Tool are effective templates that an organization can use to further develop its programs.
Within this Tool it talks about two aspects of Cyber Risk Management that are essential to protecting the institution.
Inherent Risk helps the institution to understand the environment in which they are operating. It helps the institution look at how heavily they rely on technology and what the inherent risks are in that particular environment.
This is helpful especially from an insurance standpoint for the simple reason that by identifying the risks that the institution is exposed to, an insurance policy can be crafted around those exposures. If the exposures are not identified then often gaps will often occur in the insurance coverage and the results can be catastrophic for the institution.
After identifying the problems with the Inherent Risk portion of the Assessment Tool the institution can then move on to measure how well they are doing within the environment in which they are operating. The Assessment Tool provides assessment factors and contributing components to help the institution see what their maturity level is in the 5 Domains identified in the Tool.
Any program designed at mitigating risk is only effective if it is implemented and maintained properly. It is not easy to implement any Risk Management Program no matter the industry. They often come with complex policies and procedures and it is easier to avoid or be relaxed in the effort to maintain such programs when the job can be done without them.
Management has to be involved and have to buy into the programs for them to be effective. When they are effective, it allows the institution to operate effectively and efficiently. Because they understand their environment and the risks associated with it, they can see unique opportunities or dangerous threats.
Using these tools that are available and having dedicated personnel who are working to implement and utilize these types of tools are going to be essential in the coming years as the threats grow and the need to be able to react quickly to the changing environments increases.