Financial institutions must encrypt all online transaction processing

Framework Snapshot

The Federal Financial Institutions Examination Council (FFIEC) developed its cybersecurity assessment tool to help financial institutions identify their risks and determine their level of cybersecurity preparedness.To comply, organizations must conform to FFIEC standards for online banking. Compliance success is determined by comprehensive assessments of an organization’s IT environment and identifying potential security weaknesses and threats. To maintain an adequate security posture, goals are set, solutions implemented, and periodic risk assessments performed.

An important requirement for FFIEC compliance is multi-factor authentication (MFA). Acceptable MFA includes biometric verification methods such as finger scanning, iris recognition, facial recognition, and voice ID. Smart cards and other electronic devices may also be used together with traditional user IDs and acceptably strong passwords. Financial institutions must encrypt all online transaction processing (OLTP). Encryption levels must be sufficient to prevent unauthorized disclosure within a financial institution’s internal networks and among shared external networks.

FFIEC Automation: Compliance for Less

The SureShield platform simplifies FFIEC compliance by automating technical controls and guiding you through operational controls. SureShield’s automation will reduce your overall FFIEC compliance cost by up to 90% when compared to traditional, labor-intensive compliance methods. For organizations requiring compliance to multiple frameworks, crosswalk automation drives cost savings up toward 90%.

Authorization Process


    *Required fields

    Why It Matters?

    Increasing Cyberattacks

    FFIEC helps member organizations understand and address risk in view of the increasing volume and severity of cyber incidents.

    Cybersecurity Assessment Tool (CAT)

    FFIEC developed a tool to construct a quantitative view of an organizations risk exposure and evaluation of strategies to minimize threats.

    Encourages Use Of NIST Framework

    FFIEC encourages the use of NIST with the more industry-specific CAT for its members, i.e., banks, credit unions, and other financial institutions.

    The FFIEC has established regulations highlighting 11 security priorities for financial institution operations. By fully addressing these areas, organizations can put industry best practices in place to operate as a federally supervised financial institution without worrying about incurring fines and other penalties.

    The 11 security priorities for financial institution operations are:

    • Business Continuity Planning
    • Development and Acquisition
    • Electronic Banking
    • Information Security
    • IT Audit
    • IT Management
    • Operations
    • Outsourcing Technology Services
    • Retail Payment System
    • Supervision of Technology Service Providers
    • Wholesale Payment Systems


    The Assessment Consists of Two Parts

    The FFIEC Cybersecurity Assessment Tool (CAT) measures the security risk present in an institution and its preparedness to mitigate that risk. FFIEC CAT Inherent Risk Profile measures risk across five categories and Cybersecurity Maturity identifies the institution’s inherent risk before implementing controls. Management first assesses the institution’s inherent risk profile based on five categories.

    • Technologies and Connection Types
    • Delivery Channels
    • Online/Mobile Products and Technology Services
    • Organizational Characteristics
    • External Threats


    FFIEC CAT Cybersecurity Maturity Assessment assigns value to maturity levels in five domains. While management can determine the institution’s maturity level in each domain, it is not designed to identify a composite maturity level.

    • Cyber Risk Management and Oversight
    • Threat Intelligence and Collaboration
    • Cybersecurity Controls
    • External Dependency Management
    • Cyber Incident Management and Resilience

    Activate FFIEC framework


    Install scanner for compliance evidence gathering


    Review baseline evidence to score compliance control status


    Close compliance gaps


    Ongoing compliance and gap surveillance


    Enforced maintenance of compliance readiness

    Free COMPLiANCE Assessment

    Do you need help assessing your compliance readiness? Learn how our automated crosswalk technology will dramatically reduce your labor requirements. Schedule your free consulting session, up to 1 hour.