What is FFIEC Compliance?
FFIEC compliance is conformance to a set of standards for online banking issued by the Federal Financial Institutions Examination Council (FFIEC). The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, and to make recommendations to promote uniformity in the supervision of financial institutions.
FFIEC recommends performing assessments at least once a year to ensure FFIEC cybersecurity regulations and best practices for financial institutions are in place. Sword & Shield Enterprise Security’s turn-key FFIEC Assessment service helps banks and examiners that must adhere to FFIEC information security guidelines to determine their inherent risk profile and level of cybersecurity preparedness.
Our cybersecurity and compliance experts partner with you to efficiently conduct the assessment using the FFIEC Toolkit, industry knowledge, and their technical and compliance expertise.
Our FFIEC Assessment is designed for banks of all sizes and incorporates concepts and principles contained in the FFIEC IT Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and concepts from well-known industry standards, such as the NIST Cybersecurity Framework.
Inherent Risk Profile and Cybersecurity Maturity Assessment
The FFIEC assessment consists of two parts: an inherent risk profile and a cybersecurity maturity assessment.
An inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats—notwithstanding the bank’s risk-mitigating controls.
Cybersecurity maturity is evaluated in five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
The OCC will implement the assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. The results may be reviewed to determine whether the bank’s cybersecurity maturity levels align with the bank’s inherent risk profile.
While use of the assessment is optional for financial institutions, OCC examiners will use it to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.
FFIEC Assessment Report
Sword & Shield delivers a comprehensive assessment report detailing your strengths and weaknesses, as well as a remediation roadmap. This document includes an executive summary to help you communicate the assessment results and necessary action to company decision makers.
Associated Cybersecurity Services
As a full-service information security and compliance firm, Sword & Shield offers a host of related solutions. This streamlines operations, saves you time and money, and provides consistency of quality. In addition to the FFIEC assessment, clients may opt for these related services: