Virtual Cyber & Technology Risk Management Forum

FFIEC Cybersecurity Assessment Tool

• Vendor Management is all over the FFIEC CAT • Inherent Risk Profile o Six (6) questions (of 39) mention Third Parties, including identifying the number of vendors that have access to internal systems, as well as hosted ATMs, cards (debit, credit, and prepaid), ACH origination, and Trust • Cybersecurity Maturity o “Third Party” listed 33 times total, “vendor” another four (4) times o Domain 4: External Dependency Management (all about 3PM) ƒ Assessment Factors include: Connections, Due Diligence, Contracts, and Ongoing Monitoring

© 2020 SBS CyberSecurity, LLC www.sbscyber.com

6