FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Inherent Risk Profile

Risk Levels
Category: Technologies and
Connection Types Least Minimal Moderate Significant Most

Total number of Internet service No connections Minimal complexity Moderate complexity Significant Substantial complexity
provider (ISP) connections (including (1–20 connections) (21–100 connections) complexity (101–200 (>200 connections)
branch connections) connections)

Unsecured external connections, None Few instances of Several instances of Significant instances Substantial instances of
number of connections not users unsecured unsecured of unsecured unsecured connections
(e.g., file transfer protocol (FTP), connections (1–5) connections (6–10) connections (11–25) (>25)
Telnet, rlogin)

Wireless network access No wireless access Separate access Guest and corporate Wireless corporate Wireless corporate
points for guest wireless network network access; network access; all
wireless and access are logically significant number of employees have access;
corporate wireless separated; limited users and access substantial number of
number of users and points (251–1,000 access points (>1,000
access points (1–250 users; 26–100 users; >100 access
users; 1–25 access access points) points)
points)

Personal devices allowed to connect None Only one device type Multiple device types Multiple device types Any device type used;
to the corporate network available; available used; available to used; available to available to >25% of
to <5% of employees <10% of employees <25% of authorized employees (staff,
(staff, executives, (staff, executives, employees (staff, executives, managers)
managers); e-mail managers) and executives, and board; all
access only board; e-mail access managers) and applications accessed
only board; e-mail and
some applications
accessed

Third parties, including number of No third parties and Limited number of Moderate number of Significant number of Substantial number of
organizations and number of no individuals from third parties (1–5) third parties (6–10) third parties (11–25) third parties (>25) and
individuals from vendors and third parties with and limited number and moderate and significant substantial number of
subcontractors, with access to access to systems of individuals from number of individuals number of individuals individuals from third
internal systems (e.g., virtual private third parties (<50) from third parties from third parties parties (>1,500) with
network, modem, intranet, direct with access; low (50–500) with (501–1,500) with access; high complexity
connection) complexity in how access; some access; high level of in how they access
they access systems complexity in how complexity in terms systems
they access systems of how they access
systems

May 2017 11
 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Risk Levels
Category: Technologies and
Connection Types Least Minimal Moderate Significant Most

Wholesale customers with dedicated None Few dedicated Several dedicated Significant number of Substantial number of
connections connections connections dedicated dedicated connections
(between 1–5) (between 6–10) connections (>25)
(between 11–25)

Internally hosted and developed or No applications Few applications Several applications Significant number of Substantial number of
modified vendor applications (between 1–5) (between 6–10) applications applications and
supporting critical activities (between 11–25) complexity (>25)

Internally hosted, vendor-developed Limited applications Few applications (6– Several applications Significant number of Substantial number of
applications supporting critical (0–5) 30) (31–75) applications (76–200) applications and
activities complexity (>200)

User-developed technologies and No user-developed 1–100 technologies 101–500 501–2,500 >2,500 technologies
user computing that support critical technologies technologies technologies
activities (includes Microsoft Excel
spreadsheets and Access databases
or other user-developed tools)

End-of-life (EOL) systems No systems Few systems that are Several systems that A large number of Majority of critical
(hardware or at risk of EOL and will reach EOL within systems that support operations dependent
software) that are none that support 2 years and some critical operations at on systems that have
past EOL or at risk of critical operations that support critical EOL or are at risk of reached EOL or will
nearing EOL within 2 operations reaching EOL in 2 reach EOL within the
years years next 2 years or an
unknown number of
systems that have
reached EOL

Open Source Software (OSS) No OSS Limited OSS and Several OSS that Large number of Majority of operations
none that support support critical OSS that support dependent on OSS
critical operations operations critical operations

Network devices (e.g., servers, Limited or no network Few devices (250– Several devices Significant number of Substantial number of
routers, and firewalls; include devices (<250) 1,500) (1,501–25,000) devices (25,001– devices (>50,000)
physical and virtual) 50,000)

Third-party service providers storing No third parties that 1–25 third parties 26–100 third parties 101–200 third parties >200 third parties that
and/or processing information that support critical that support critical that support critical that support critical support critical activities;
support critical activities (Do not have activities activities activities activities; 1 or more 1 or more are foreign-
access to internal systems, but the are foreign-based based
institution relies on their services)

May 2017 12
 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Risk Levels
Category: Technologies and
Connection Types Least Minimal Moderate Significant Most

Cloud computing services hosted No cloud providers Few cloud providers; Several cloud Significant number of Substantial number of
externally to support critical activities private cloud only (1– providers (4–7) cloud providers (8– cloud providers (>10);
3) 10); cloud-provider cloud-provider locations
locations used used include
include international; international; use of
use of public cloud public cloud

Risk Levels

Category: Delivery Channels Least Minimal Moderate Significant Most

Online presence (customer) No Web-facing Serves as an Serves as a delivery Serves as a delivery Internet applications
applications or social informational Web channel for retail channel for serve as a channel to
media presence site or social media online banking; may wholesale wholesale customers to
page (e.g., provides communicate to customers; may manage large value
branch and ATM customers through include retail account assets
locations and social media origination
marketing materials)

Mobile presence None SMS text alerts or Mobile banking Mobile banking Full functionality,
notices only; application for retail application includes including originating new
browser-based customers (e.g., bill external transfers transactions (e.g., ACH,
access payment, mobile (e.g., for corporate wire)
check capture, clients, recurring
internal transfers external transactions)
only)

Automated Teller Machines (ATM) No ATM services ATM services offered ATM services ATM services ATM services managed
(Operation) but no owned managed by a third managed internally; internally; ATM services
machines party; ATMs at local ATMs at U.S. provided to other
and regional branches and retail financial institutions;
branches; cash locations; cash ATMs at domestic and
reload services reload services international branches
outsourced outsourced and retail locations;
cash reload services
managed internally

May 2017 13
 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Risk Levels
Category: Online/Mobile Products
and Technology Services Least Minimal Moderate Significant Most

Issue debit or credit cards Do not issue debit or Issue debit and/or Issue debit or credit Issue debit or credit Issue debit or credit
credit cards credit cards through cards through a third cards directly; cards directly; >100,000
a third party; <10,000 party; between between 50,000– cards outstanding; issue
cards outstanding 10,000–50,000 cards 100,000 cards cards on behalf of other
outstanding outstanding financial institutions

Prepaid cards Do not issue prepaid Issue prepaid cards Issue prepaid cards Issue prepaid cards Issue prepaid cards
cards through a third party; through a third party; through a third party; internally, through a
<5,000 cards 5,000–10,000 cards 10,001–20,000 cards third party, or on behalf
outstanding outstanding outstanding of other financial
institutions; >20,000
cards outstanding

Emerging payments technologies Do not accept or use Indirect acceptance Direct acceptance or Direct acceptance or Direct acceptance of
(e.g., digital wallets, mobile wallets) emerging payments or use of emerging use of emerging use of emerging emerging payments
technologies payments payments payments technologies; moderate
technologies technologies; partner technologies; small transaction volume
(customer use may or co-brand with non- transaction volume; and/or foreign payments
affect deposit or bank providers; no foreign payments
credit account) limited transaction
volume

Person-to-person payments (P2P) Not offered Customers allowed Customers allowed to Customers allowed Customers allowed to
to originate originate payments; to originate request payment or to
payments; used by used by 1,000–5,000 payments; used by originate payment; used
<1,000 customers or customers or monthly 5,001–10,000 by >10,000 customers
monthly transaction transaction volume is customers or monthly or monthly transaction
volume is <50,000 between 50,000– transaction volume is volume >1 million
100,000 between 100,001–
1 million

Originating ACH payments No ACH origination Originate ACH Originate ACH debits Sponsor third-party Sponsor nested third-
credits; daily volume and credits; daily payment processor; party payment
<3% of total assets volume is 3%–5% of originate ACH debits processors; originate
total assets and credits with daily debits and credits with
volume 6%–25% of daily volume that is
total assets >25% of total assets

Originating wholesale payments (e.g., Do not originate Daily originated Daily originated Daily originated Daily originated
CHIPS) wholesale payments wholesale payment wholesale payment wholesale payment wholesale payment
volume <3% of total volume 3%–5% of volume 6%–25% of volume >25% of total
assets total assets total assets assets

May 2017 14
 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Risk Levels
Category: Online/Mobile Products
and Technology Services Least Minimal Moderate Significant Most

Wire transfers Not offered In person wire In person, phone, Multiple request Multiple request
requests only; and fax wire channels (e.g., channels (e.g., online,
domestic wires only; requests; domestic online, text, e-mail, text, e-mail, fax, and
daily wire volume daily wire volume fax, and phone); daily phone); daily domestic
<3% of total assets 3%–5% of total domestic wire wire volume >25% of
assets; international volume 6%–25% of total assets; daily
daily wire volume total assets; daily international wire
<3% of total assets international wire volume >10% of total
volume 3%–10% of assets
total assets

Merchant remote deposit capture
(RDC)
Do not offer Merchant <100 merchant 100–500 merchant 501–1,000 merchant >1,000 merchant clients;
RDC clients; daily volume clients; daily volume clients; daily volume daily volume of
of transactions is of transactions is of transactions is transactions is >25% of
<3% of total assets 3%–5% of total 6%–25% of total total assets
assets assets

Global remittances Do not offer global Gross daily Gross daily Gross daily Gross daily transaction
remittances transaction volume is transaction volume is transaction volume is volume is >25% of total
<3% of total assets 3%–5% of total 6%–25% of total assets
assets assets

Treasury services and clients No treasury Limited services Services offered Services offered Multiple services offered
management offered; number of include lockbox, ACH include accounts including currency
services are offered clients is <1,000 origination, and receivable solutions services, online
remote deposit and liquidity investing, and
capture; number of management; investment sweep
clients is between number of clients is accounts; number of
1,000–10,000 between 10,001– clients is >20,000
20,000

Trust services Trust services are not Trust services are Trust services Trust services Trust services provided
offered offered through a provided directly; provided directly; directly; assets under
third-party provider; portfolio of assets assets under management total
assets under under management management total >$10 billion
management total total $500 million– $1 billion–$10 billion
<$500 million $999 million

Act as a correspondent bank Do not act as a Act as a Act as a Act as a Act as a correspondent
(Interbank transfers) correspondent bank correspondent bank correspondent bank correspondent bank bank for >500
for <100 institutions for 100–250 for 251–500 institutions
institutions institutions

May 2017 15
 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Risk Levels
Category: Online/Mobile Products
and Technology Services Least Minimal Moderate Significant Most

Merchant acquirer (sponsor Do not act as a Act as a merchant Act as a merchant Act as a merchant Act as a merchant
merchants or card processor activity merchant acquirer acquirer; <1,000 acquirer; outsource acquirer and card acquirer and card
into the payment system) merchants card payment payment processor; payment processor;
processing; 1,000– 10,001–100,000 >100,000 merchants
10,000 merchants merchants

Host IT services for other Do not provide IT Host or provide IT Host or provide IT Host or provide IT Host or provide IT
organizations (either through joint services for other services for affiliated services for up to 25 services for 26–50 services for >50
systems or administrative support) organizations organizations unaffiliated unaffiliated unaffiliated
organizations organizations organizations

Risk Levels
Category: Organizational
Characteristics Least Minimal Moderate Significant Most

Mergers and acquisitions (including None planned Open to initiating In discussions with A sale or acquisition Multiple ongoing
divestitures and joint ventures) discussions or at least 1 party has been publicly integrations of
actively seeking a announced within the acquisitions are in
merger or acquisition past year, in process
negotiations with 1 or
more parties

Direct employees (including Number of Number of Number of Number of employees Number of employees is
information technology and employees totals <50 employees totals 50– employees totals totals 10,001–50,000 >50,000
cybersecurity contractors) 2,000 2,001–10,000

Changes in IT and information
security staffing
Key positions filled; Staff vacancies exist Some turnover in Frequent turnover in Vacancies in senior or
low or no turnover of for non-critical roles key or senior key staff or senior key positions for long
personnel positions positions periods; high level of
employee turnover in IT
or information security

Privileged access (Administrators– Limited number of Level of turnover in Level of turnover in High reliance on High employee turnover
network, database, applications, administrators; administrators does administrators external in network
systems, etc.) limited or no external not affect operations affects operations; administrators; administrators; many or
administrators or activities; may number of number of most administrators are
utilize some external administrators for administrators is not external (contractors or
administrators individual systems or sufficient to support vendors); experience in
applications exceeds level or pace of network administration
what is necessary change is limited

May 2017 16
 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Risk Levels
Category: Organizational
Characteristics Least Minimal Moderate Significant Most

Changes in IT environment (e.g., Stable IT Infrequent or minimal Frequent adoption of Volume of significant Substantial change in
network, infrastructure, critical environment changes in the IT new technologies changes is high outsourced provider(s)
applications, technologies supporting environment of critical IT services;
new products or services) large and complex
changes to the
environment occur
frequently

Locations of branches/business 1 state 1 region 1 country 1–20 countries >20 countries

presence

Locations of operations/data centers 1 state 1 region 1 country 1–10 countries >10 countries

Risk Levels

Category: External Threats Least Minimal Moderate Significant Most

Attempted cyber attacks No attempted attacks Few attempts Several attempts Significant number of Substantial number of
or reconnaissance monthly (<100); may monthly (100– 500); attempts monthly attempts monthly
have had generic phishing campaigns (501–100,000); spear (>100,000); persistent
phishing campaigns targeting employees phishing campaigns attempts to attack senior
received by or customers at the targeting high net management and/or
employees and institution or third worth customers and network administrators;
customers parties supporting employees at the frequently targeted for
critical activities; may institution or third DDoS attacks
have experienced an parties supporting
attempted Distributed critical activities;
Denial of Service Institution specifically
(DDoS) attack within is named in threat
the last year reports; may have
experienced multiple
attempted DDoS
attacks within the last
year

May 2017 17
 FFIEC Cybersecurity Assessment Tool Inherent Risk Profile

Risk Levels

Total Least Minimal Moderate Significant Most

Number of Statements Selected in

Each Risk Level

Based on Individual Risk Levels Least Minimal Moderate Significant Most

Selected, Assign an Inherent Risk
Profile

May 2017 18