Aaron Rodgers and the FFIEC Cybersecurity Assessment

Last year, the Packers started out with a 1-2 record after beginning the season as the odds-on favorite to win the NFC North. Panic spread throughout Packer Nation, with some suggesting that a call be made to Sumrall, Mississippi, to coax #4 out of retirement to once again lead the team.

Confronted by a mob of anxious cheeseheads with microphones, Aaron Rodgers calmly said, “Five letters here just for everybody out there in Packer-land:  R-E-L-A-X.  Relax. We're going to be okay."

After those soothing words, the clouds parted, the birds started singing again, and harmony returned to Green Bay. Rodgers proceeded to lead the team to 11 wins and was named to the All-Pro team.
Financial institutions might be well-advised to remember those five letters as they review the results from their FFIEC cybersecurity assessment. It is understandable for bankers to panic because they did not meet the “baseline” cybersecurity maturity level. My advice is to take a deep breath and R-E-L-A-X.  You are not alone.  There is time to revise your game plan.

At Wipfli, we have assisted several banks and credit unions with the FFIEC cybersecurity assessment. These institutions have ranged in asset size from under $70 million to over $2 billion (mean asset size:  $430 million). Here are some data points and observations from going through the initial assessment with our clients:

• Eighty-five percent have an inherent risk rating of “minimal.” The other 15% are either “least” or “moderate” risk.
• Only slightly higher than 10% met the baseline requirements for all five domains.

To unpack this a bit more, below is a percentage of the financial institutions that met the baseline requirement for each domain:

• Cyber Risk Management Oversight—32%
• Threat Intelligence and Collaboration—63%
• Cyber Security Controls—26%
• External Dependency Management—42%
• Cyber Incident Management and Resilience—58%
  
  

I realize these percentages do not look great. But before going into a panic like some people in Packer-land did in week three, rest assured that most were able to meet the minimum requirement (or at least be well on their way) with a few minor tweaks to their cybersecurity program.

I recommend you answer each of the declarative statements honestly and set your expectations that there will be some gaps. By identifying the gaps now, you can devise a game plan that will lead to future success.

For those who need some help and guidance, consider using Wipfli to help facilitate the process. Our experience in working with a variety of financial institutions will undoubtedly save you time and deliver better results.  Click here for more information. If you have the resources to do it yourself, use our free online tool to automate and streamline the process. In either case, remember that it is early in the season and that with the right leadership there is still time to develop a winning plan. Relax. You’re going to be okay.