Policymakers must recognize existing cybersecurity frameworks, tools and assessments, such as the Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT). NIST provides a structure that organizations, regulators, and customers may use to create, guide, assess, or improve comprehensive cybersecurity programs. CAT is a voluntary framework now commonly used by community banks and examiners.
Members of the Financial Services Sector Coordinating Council are developing a new sector profile that seeks to create a voluntary cybersecurity tool for financial institutions. The proposed profile melds together cybersecurity frameworks, tools, and assessments - both voluntary and mandatory – into one new framework. Some of the informative references being used in the development of the framework do not reflect the negligible risk posed by community banks to the financial services system.
Regulators should not mandate the use of any one framework, tool, or assessment, but rather support community banks’ ability to use the framework, tool or assessment that best suits their institution’s size and complexity.