FFIEC Threat-Informed

Cyber Risk Assessment

Have Confidence in Your Measurement of Cyber Risk

Problem

“Where are we really with security risk?” The problem is that this question isn’t answered by meeting regulatory compliance, having security controls in place, or even running the typical security assessment. They all inform, but they lack critical context. Security leaders and Boards of Directors want to know:

  • If we were breached, what would that loss look like?
  • Is our cybersecurity insurance coverage adequately configured?
  • Are we spending enough on cybersecurity in the right places?
  • What should cybersecurity strategy be for the next 3-5 years?

How We Help

Only a security assessment evaluated against both FFIEC standards and prevalent industry attack vectors, then subjected to statistical modeling paints the picture clearly. The results include meaningful ratings of existing controls, helping evaluate program health and prioritize needed action. This innovative approach gives the desired information, enabling confident communication and informed decision-making that best protects your critical data and reputation.

  • Grades controls against prevalent financial cyberattacks and FFIEC standards
  • Clearly identifies risk, providing a reliable range of potential financial losses
  • Provides independent program validation through the lens of prevalent industry attacks.
  • Enables strategic spend against where your financial risk is greatest

FFIEC Cyber Security Assessment

Simply following FFIEC guidance and “best practices” is no longer enough for protecting customer data. Banks must focus resources in areas that yield the most benefit. Alagen Strategic Advisory consultants start by reviewing your organization’s inherent risk profile. Once validated, the organization will be assessed against the five domains of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool framework to ensure that the appropriate level of maturity has been achieved. Unlike traditional audits, this deep dive review includes an effectiveness score for each declarative statement. Recommendations for any identified gaps will be provided.

Tested Against Prevalent Threats

Next, a scenario-based risk assessment will be performed within your environment against industry-relevant data breaches including: crimeware, insider and privilege misuse, cyber-espionage, DOS attacks, web application attacks, physical theft and loss, payment card losses, and miscellaneous errors. These attack scenarios, derived from industry reports, are developed for each of the breach loss categories based on services and applications in use at your company. A probability simulation is performed for each threat using parameters identified in the attack scenario analysis and taking into account the previously determined ratings of your controls used to defend against them. Used in this manner, the model helps you understand the impact of risk — predicting a meaningful, quantifiable range of potential Cybersecurity losses with reasonable associated probabilities.

Outcome

An FFIEC Threat-Informed Cyber Risk Assessment allows your organization to:

  • Quantify your Cybersecurity risk in terms of value at risk and potential financial loss
  • Identify an appropriate level of Cybersecurity insurance, targeting areas with greatest loss potential
  • Independently validate the quality and effectiveness of your IT controls relative to current threat scenarios
  • Adopt a repeatable cyber risk assessment process that informs the bank’s Enterprise Risk Management program
  • Enhance your annual Information Technology risk assessment using familiar FFIEC-based evaluation criteria examiners know and understand
  • Prioritize and strengthen control gaps that will enhance the Information Security Program
  • Focus financial resources on controls that defend against most costly attacks
  • Provide a documented methodology justifying capital reserves for the cyber component of operational risk