FFIEC and Cyber Risk

Alfe Corona, MSCy, MSOL
6 min readJul 12, 2021


Photo by Stephen Dawson on Unsplash

Note: Information on this site are my own and do not represent the positions, strategies, or opinions of my current or any previous employer.

Why I wrote this?

I am a Cybersecurity Professional with experience in the financial industry in the areas of Cyber Defense, Identity Access Management, Logical Access Provisioning/De-provisioning, Audit, Control Assessment, Quality Assurance, Legal and others.

Second, I believe this information is relevant to those involved with any financial organization.

What is FFIEC?

The Federal Financial Institutions Examination Council is a formal U.S. government interagency body composed of five banking regulators:

  1. The Board of Governors of the Federal Reserve System (FRB)
  2. Federal Deposit Insurance Corporation (FDIC)
  3. National Credit Union Administration (NCUA)
  4. Office of the Comptroller of the Currency (OCC)
  5. Consumer Financial Protection Bureau (CFPB)

What is the purpose of the FFIEC?

To prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the five regulators mentioned above. And to make recommendations to promote uniformity in the supervision of financial institutions.

In addition, banks must also follow the Know Your Customer rule to ensure that customers are properly identified. The FFIEC guidelines cover what specific information banks need to collect as they carry out customer due diligence. For example, multi-factor authentication can be used to ensure accurate customer identification. Multi-factor authentication requires customers to use two types of authentication to receive bank services.

With recent global developments, FFIEC guidelines have been developed to increase cybersecurity in financial institutions. The FFIEC I.T. Examination Manual contains the guidelines relating to the use of information technology in banking. Regulations found in the FFIEC I.T. Examination Manual include rules about:

  • Business continuity planning, development, and acquisition
  • Electronic banking
  • Information security
  • I.T. audits
  • I.T. management
  • Outsourcing technology services
  • Retail payment systems
  • Supervision of technology service providers
  • Wholesale payment systems.

Also, to follow all the regulations of the FFIEC guidelines, financial institutions use software services for mitigating compliance risk. This software allows them to manage vendors, create business continuity plans, and use technology while staying compliant with FFIEC guidelines.

Furthermore, banks and credit unions are audited by FFIEC member agency bank examiners. The findings are reported, and banks are expected to correct any problems found.

Next, the FFIEC provides a Cybersecurity Assessment Tool (CAT) to help organizations better understand and address their cybersecurity risk.

Photo by FLY:D on Unsplash

The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs.

The FFIEC’s tool measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. Ultimately, the tool allows management to make risk-driven security management decisions through regular cybersecurity assessments using standardized criteria for risk measurement.


The FFIEC Cybersecurity Assessment Tool works by building a measurable picture of an organization’s levels of risk and preparedness. Management conducts a two-part survey, including:

  1. An Inherent Risk Profile, which determines an organization’s current level of cybersecurity risk.
  2. A Cybersecurity Maturity assessment, which identifies an organization’s current cybersecurity preparedness level, as defined by maturity scores in five distinct domains (see below).

Details on how to complete each component can be found in the FFIEC CAT User’s Guide. The FFIEC cybersecurity assessment is meant to be completed periodically and also after significant technological or operational changes. Despite concerns among financial institutions that not using the tool could lead to regulatory issues, using the FFIEC tool is voluntary. However, the tool is becoming widely used in the financial industry as auditors are increasingly requiring companies to complete an assessment to demonstrate FFIEC CAT compliance.


The FFIEC’s Inherent Risk Profile assessment measures risks across the following five categories:

  • Technologies and Connection Types: Some types of technologies and the networks they connect to come with a higher inherent risk level. In this category, managers examine the number of connections from third parties and ISPs, the number of unsecured connections, whether hosting is outsourced or handled internally, and several other factors.
  • Delivery Channels: Some delivery channels for company products and services pose a higher risk than others. More delivery channels, and more diverse delivery channels, means a higher inherent risk. In this category, risk is measured across websites, web, mobile applications, and ATMs.
  • Online and/or Mobile Products and Tech Services: The security of an institution varies depending on the different technology products and services they offer. Payment services and transaction services such as credit cards, wire transfers, person-to-person payments, and correspondent banking all come with different security challenges that are assessed in this category.
  • Organizational Characteristics: In this category, characteristics of the institution itself are examined, including number of direct employees, changes in security staff, number of users with elevated security privileges, locations of data centers, and more.
  • External Threats: The number of attacks (and the type of attacks) sustained by an organization factor into its risk assessment under this section of the FFIEC Cybersecurity Assessment Tool.


The FFIEC’s Cybersecurity Maturity assessment assigns values to maturity levels in the following five domains:

  • Cyber Risk Management and Oversight: This assessment examines oversight in terms of strategy, policies, robustness of the risk management program, staffing and budgeting of the program, culture, and training.
  • Threat Intelligence and Collaboration: What processes are in place to uncover, analyze, and share findings on evolving cybersecurity threats? In this domain, management grades the institution in terms of threat intelligence, monitoring/analyzing, relationships between peers and internal stakeholders that facilitate or hinder cyber threat information sharing.
  • Cybersecurity Controls: What’s the current maturity of controls in place to protect infrastructure, assets, and information through constant, automated monitoring and protection? In this domain, controls are assessed from detective, preventative, and corrective perspectives.
  • External Dependency Management: This FFIEC maturity assessment domain delves into the organization’s existing program to oversee and managed third-party relationships and external connections that have access to the enterprise’s information and technology assets.
  • Cyber Incident Management Resilience: In this domain, FFIEC assessors within the organization evaluate its response to cyber threat events, including planning and testing to recover normal operations after an event.


The benefits provided by the FFIEC Cybersecurity Assessment Tool are varied, but generally they bring a measure of scrutiny and control to a too-often overlooked yet critical area of an institution. Using the FFIEC CAT can help an organization:

  • Identify areas of risk proactively, before there is a problem
  • Determine the depth and breadth of cyber risk your organization is exposed to
  • Discover the institution’s preparedness to deal with the cyber threats it faces
  • Make decisions about security processes and programs based on the true nature of existing risk
  • Use a measurable and repeatable process to assess risk preparedness over time
  • Understand, address, and mitigate cybersecurity risks


When investors see that their invested money is guaranteed by institutions such as the FDIC or NCUA, they can be more confident that the guarantees will be honored because of oversight from agencies through the collective FFIEC. Similarly, a cybersecurity assessment analyzes your organization’s cybersecurity controls and their ability to remediate vulnerabilities. These risk assessments should be conducted within the context of your organization’s business objectives.