WASHINGTON, DC (January 13, 2016) — Comments on Agency Information Collection Activities for the FFIEC Cybersecurity Assessment Tool
Dear Mr. Feldstein:
On behalf of the National Association of Federal Credit Unions (NAFCU), the only national trade association focusing exclusively on federal issues affecting the nation’s federally insured credit unions, I am writing to you regarding the second notice and request for comment on the collection of information required under the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (Assessment). See 80 FR 78285 (Dec. 16, 2015). NAFCU members strive to ensure the security of their systems and sensitive consumer data as the cyber threat landscape continues to evolve. This voluntary self-assessment tool will be helpful for credit unions of all asset sizes to measure and assess their individual cybersecurity maturity and determine what changes should be implemented based on their internal risk appetite. While NAFCU applauds the collaboration of the FFIEC regulators to release the Assessment, we caution the Agencies against any future action to explicitly require financial institutions complete this Assessment as a supervisory or regulatory expectation.
Voluntary Nature of the Assessment Tool
NAFCU and our members are encouraged that this tool is designed to provide a voluntary risk management process that will help inform business functions of the organization, while not being overly prescriptive of requiring desired outcomes to achieve a certain level of cybersecurity preparedness. Once completing both parts of the Assessment, a credit union’s management can decide what actions are needed either to change the credit union’s inherent risk profile or to achieve a desired state of maturity.
Although the FFIEC states that the cyber assessment tool will remain voluntary, NAFCU is concerned that FFIEC believes that if a financial institution has completed an assessment, examiners may request a copy of all relevant documentation as they would for any risk self-assessment performed by the financial institution. We are concerned that examiners may review the financial institution’s assessment and pressure the institution toward a particular maturity level, rather than evaluating their ability to identify and manage that risk. This Assessment was designed to be used by credit union management on an ongoing basis when considering changes to its business strategy; it was not designed to prescribe desired or required outcomes of individual financial institutions. For example, if there is a small to mid-sized credit union that an examiner requires to increase its maturity levels, this may pressure the credit union toward abandoning or minimizing certain online products, services, or technologies so that the Inherent Risk level decreases, rather than evaluating their ability to manage that risk. This could lead to the unintended consequences of decreasing valued online product offerings and business growth for the credit union. Accordingly, NAFCU and our members urge NCUA and other FFIEC regulators to maintain the voluntary nature of this tool and not make the Assessment a regulatory or supervisory requirement.
While NAFCU and our members strongly support efforts to ensure the safety and security of the financial system from cyber threats, the regulatory pendulum post-crisis has swung too far towards an environment of overregulation that threatens to stifle economic growth and innovation. Cybersecurity poses a unique threat to individual institutions since it requires management discretion about the credit union’s risk appetite and cyber maturity. As such, cybersecurity is not an issue that can be solved with more regulatory red tape. Instead, emerging cyber risks must be addressed by adopting solutions that are scalable and nimble enough to be used both on an institution-level and industry-wide basis to identify and respond to the ever-changing threat landscape.
Clarity and Guidance on the Use of the Assessment Tool
NAFCU appreciates the FFIEC Agencies acknowledgment that there is a need to clarify certain aspects of the Assessment as financial institutions begin utilizing the tool. NAFCU looks forward to the FFIEC Assessment FAQ document to address requests for clarification. In particular, NAFCU and our members are interested in receiving examples of how smaller community financial institutions might satisfy certain declarative statements. NAFCU also requests that the Agencies implement a 12-18 month collaborative process with the financial services industry prior to finalizing the Assessment or using the Assessment on examinations.
Conclusion
Just as credit unions and other financial institutions participate in real-time information sharing forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), NAFCU believes that financial regulators must increase coordination on monitoring, sharing, and responding to threat and vulnerability information throughout the financial industry. We urge FFIEC regulators to continue to consider ways to more quickly share industry-wide threat data with financial institutions as soon as practicable in order to protect against imminent cyber-attacks.
NAFCU appreciates the opportunity to share our thoughts on the proposed adoption of the FFIEC Cybersecurity Self-Assessment tool. We look forward to continuing to work with NCUA and the other FFIEC regulators to address how to best secure credit unions and their members against the evolving threats in the cybersecurity landscape. Should you have any questions or would like to discuss these issues further, please feel free to contact me at ksubramanian@nafcu.org or (703) 842-2212.
Sincerely,
Kavitha Subramanian
Regulatory Affairs Counsel
The National Association of Federally-Insured Credit Unions is the only national trade association focusing exclusively on federal issues affecting the nation’s federally-insured credit unions. NAFCU membership is direct and provides credit unions with the best in federal advocacy, education and compliance assistance. For more information on NAFCU, go to www.nafcu.org or @NAFCU on Twitter.
