Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

FFIEC Updates Cybersecurity Assessment Tool
Friday, June 23, 2017 6:30 AM

Kevin Hood, CISA, IT Consultant, Credit Union Resources

On May 31, the Federal Financial Institutions Examination Council released a much-anticipated update to their Cybersecurity Assessment Tool. After almost two years, the tool has been updated to address two major changes. 

One update addresses the changes to the FFIEC IT Examination Booklet. In Appendix A of the updated tool, the mapping has been updated to reflect these changes in the examination booklets. The second major change will allow credit unions more response options to each declarative statement. Allowing additional response options is the most significant change and will allow credit unions to more easily reach a baseline level of maturity. 

The NCUA has stated that all credit unions who use the tool, regardless of size, should strive to at least be at the baseline level. With the previous version of the tool, which was originally released in June 2015, credit unions only had the option of answering yes or no to each declarative statement. All declarative statements within each assessment factor had to be answered yes in order to obtain baseline in that area. So, even if you answered yes to 9 out of 10 statements, you still were not baseline. 

With the update, credit unions can now answer "Yes with Compensating Controls." This will allow better customization of the tool based on your specific credit union, which had been one of the major criticisms of the original version. 

Maybe you are not doing exactly what is stated in a certain declarative statement; however, you are addressing that specific risk through another policy or procedure. This update will allow you to answer that statement "Yes with Compensating Controls" and provide a documented response as to how you are addressing that item.

So what should credit unions expect? First off, the NCUA and FFIEC are still considering this tool voluntary, but they do recommend you look at it. The NCUA is in the process of training their field examiners to look at this tool in late 2017 and into 2018. If you have not taken time to look at the tool yet, now is a good time to begin doing so. 

And don’t get discouraged. Of all the Cybersecurity Assessment Tool reviews I’ve performed with credit unions so far, no one has reached full baseline in all domains. It should be seen as an ongoing process. According to FFIEC, the tool is designed to be a “repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.”

As noted above, while the tool has not been without its criticisms, it is a great start to emphasizing the importance of a strong cybersecurity program. 

Credit Union Resources has Technology Consulting & Compliance Services available for credit unions of all sizes. For additional information, please contact Deana Brown ( or Idrees Rafiq (