FFIEC Cybersecurity Assessment Tool: What You Should Know

By now, you may have heard the hype surrounding the new assessment tool from the Federal Financial Institutions Examination Council (FFIEC). This powerful new tool is critically important to mortgage businesses of all sizes, enabling them to better evaluate the health and maturity of their cybersecurity systems. We’ve provided a comprehensive guide of the most important things you should know about the new FFIEC Cybersecurity Assessment Tool.

Is the Cyber Assessment Tool Required?

The Commonwealth of Massachusetts apparently takes the FFIEC tool very seriously. We understand that it sent notices to mortgage companies informing them that they must complete the audit this year (by the end of June, actually). Other states, however, have yet to require financial institutions to implement the tool.

Are there resources available to assist small businesses with using FFIEC tools?

Unfortunately, the truth is there's not a lot of help out there. The audit with an annual completion deadline clearly addresses larger organizations that have staff dedicated to cybersecurity. Even MBA conferences dealing with this issue generally focus on larger mortgage companies. When questioned about providing guidance for small shops, the panelists from one such conference said they had not worked with groups smaller than 75-100 employees. So, the devil is in the details for smaller companies.

Initial Takeaways

The audit required by the Cybersecurity Assessment Tool provides a baseline that tells you where your cybersecurity efforts stand at the moment. It is not a pass/fail test. It's meant to help you improve from year to year.

The FFIEC intended for the tool to help financial institutions understand their cybersecurity risks and how prepared they are to prevent attacks. The assessment tool can also inform the path you follow with respect to risk management.

The tool has two parts to it: the first is to assess risk inherent in the organization, and the second looks at your organization's maturity in addressing cyber controls. That should ease your mind, at least for the first year. To help you prepare, here are some commonly asked questions for first-time users.

• What if an assessment question doesn't seem applicable to our office? How do we answer it?
  
  Do the best you can to answer questions as they apply to you. If something seems completely irrelevant to your operations, skip it, noting that it is not applicable to your business.
  
• Doesn't skipping a question hurt your score?
  
  Don't worry about scores, at least for this year. Just answer the questions that seem relevant as truthfully as you can. By next year, we hope there will be more guidance from FFIEC (or those conference gurus). In the meantime, we learn as we go.
  
  
• We are small. We do not have IT personnel on staff. What can we do?
  
  Stop going it alone. The answers to the assessment questions may open up an opportunity to reevaluate whether your business could gain by using mortgage cloud hosting services. Cloud  IT services let your employees concentrate on using their service strengths, while IT professionals help you stay abreast of the ever-evolving cybersecurity scene with vulnerability management solutions.
  
  
• If you find yourself stumped, reach out for help.
  
  One Massachusetts client reached out for help understanding how the assessment questions applied to them. We were able to guide them through the process, and in the end, they provided answers to their auditor to obtain the certification Massachusetts required.

To talk more about the FFIEC assessment tool, mortgage IT services in the cloud, or other cybersecurity issues, please contact us.