FFIEC Cybersecurity Assessment Report CAR Example .pdf

TPA Cybersecurity Assessment Report (CAR)
11/24/2023 1
Third Party Administrator (TPA)
1234 Front Street
Shreveport, Louisiana 71101
www.tpa.us
Cybersecurity Assessment Report (CAR)
June 23, 2022
Prepared by John C. Blackshire, Jr.
The Accountware Group, Inc. (TAG)
7850 North Silverbell Road, Suite 114-358
Tucson, Arizona 85743
479-200-4373
www.accountwaregroup.com

11/24/2023 2
Table of Contents
Executive Summary…………………………………………………3
Risk/Maturity Relationship………………………………………….5
List of Appendices
Appendix A: Acronyms and Definitions………………………..6
Appendix B: Assessment Methodology………………………..8
Appendix C: Background on TPA Information Processing….14
Appendix D: Inherent Risk Assessment………………………16
Appendix E: Internal Controls Maturity Assessment…………20
Appendix F: Cybersecurity Level of Maturity Determination..41
Appendix G: Criteria Development Materials Used………….46

11/24/2023 3
Executive Summary
June 16, 2022
Jim Mann
Information Technology Manager
Third Party Administrator
1234 Front Street
Shreveport, Louisiana 71101
Dear Jim:
This TPA Cybersecurity Assessment Report (CAR) was designed to benchmark the
current TPA cybersecurity internal controls to a set of recognized criteria. The criteria
used was based on the FFIEC Cybersecurity Assessment Tool (CAT) which was
created by using NIST SP 800-53 and ISO 27001 as its base criteria.
This benchmarking will allow TPA Management to formalize future improvements to the
TPA cybersecurity internal control framework. This benchmark can also be shared with
FinlandRe to help with compliance within its vendor management program.
The following major drivers need to be in the forefront of TPA Management’s approach
to improving the maturity of the existing cybersecurity internal control framework:
- The TPA Technology and Connection Types will continue to include end-of-
lifecycle hardware and application software,
- TPA is a very small organization that has used “trust” as a control in the past and
there has been an informal approach to the documentation of the risks and
operation of the existing internal controls that mitigate the risks,
- TPA’s level of inherent risks as measured by the CAR is only barely into the
Minimal Level of Inherent Risk and will remain at that level of inherent risk.
TPA’s existing cybersecurity internal control framework was measured against the 454
individual assessment factors (IAFs) that are contained in the tailored benchmarking
tool. TPA has existing internal controls that address inherent risks within all five levels of
maturity used within the CAT:
Levels of Internal Control Maturity
Baseline Evolving Intermediate Advanced Innovative
IAF's Achieved by TPA 84 52 35 11 2
Achievement
Percentage by Level
75.00% 49.06% 34.31% 14.10% 3.57%

11/24/2023 4
Over the next eighteen months, TPA Management needs to address moving to achieve
a positive response for all of the applicable IAF’s within the baseline level of maturity
measurement tool. To accomplish this overall rating, TPA needs to first focus upon:
 Completing a written Cybersecurity Risk Management Program charter for the
services being provided to FinlandRe,
 Formalizing a Cybersecurity Risk Assessment focusing on claimant data and
information processing being provided,
 Determining the IAFs that are currently within the scope of the internal audit
activities provided by FinlandRe,
 Having a training event for all employees about “Understanding Risk Security
Risks” based on the above TPA Cybersecurity Risk Assessment,
 Creating documentation of the gaps within the existing cybersecurity internal
controls framework for use in setting priorities for improvements.
The overall goal will be to relook at the benchmark within eighteen months and see
what progress has been made in increasing the maturity level at TPA. The goal would
be to have 100% achievement within the baseline IAFs that are applicable to TPA. This
would place TPA’s level of maturity within established guidelines for addressing the
Inherent Risks measured by this diligent inquiry.
This CAR gives TPA Management holistic assessment of TPA’s current Cybersecurity
Risk Management Program using a methodology developed based upon recognized
cybersecurity internal controls guidance. It should assist TPA Management in making
decisions and then creating a clear overall plan to address the continuous improvement
of the cybersecurity internal controls.
If you have any questions, please do not hesitate to give me a call at 479-200-4373
Thank you for your time.
Sincerely,
John C Blackshire, Jr.
The Accountware Group, Inc.
(479) 200-4373
johnb@cseminars.com
https://www.accountwaregroup.com/
https://www.compliance-seminars.com/
Control - Comply - Communicate

11/24/2023 5
Risk/Maturity Relationship
The project that created this CAR first created an TPA Inherent Risk Profile and then
moved to have the applicable Individual Assessment Factors (IAFs) assessed. TPA
personnel were heavily involved with providing answers to each of the risk
measurement questions and the documentation of the IAFs assessment.
There were 25 Inherent Risk Levels measured to document the inherent risks. There
was a total of 454 IAFs used within this project for the assessment of maturity of the
internal controls.
The next step is to assess the overall risk-maturity relationship. Here is a visual based
on the FFIEC standards with the TPA outcomes overlayed:
TPA’s Inherent Risk is 60% within the Least Level, 36% within the Minimal Level and
4% in Most Level. The Most Level is the presence of End-Of-Life information technology
elements. TPA’s overall Inherent Risk Level is within the lower end of the minimal
inherent risk level on the chart above.
The assessment of the IAF’s shows that TPA currently has seventy-five percent of the
controls it needs for complete compliance to the Baseline IAFs. It is at forty-nine percent
of the coverage it needs to complete the Evolving IAFs. TPA’s Overall Inherent Risk
Level is on the lower end of Minimal and this calls for all the Baseline IAF’s to be
achieved or determined to be non-applicable, and there needs to be at least fifty percent
of achievement for the Evolving IAFs.

11/24/2023 6
Appendix A: Acronyms and Definitions
ERM Program: Enterprise risk management (ERM) is a firm-wide strategy to identify
and prepare for hazards with a company's finances, operations, and objectives. ERM
allows managers to shape the firm's overall risk position by mandating certain business
segments engage with or disengage from particular activities.
Federal Financial Institutions Examination Council (FFIEC): FFIEC is a formal U.S.
Government interagency body composed of five banking regulators that is "empowered
to prescribe uniform principles, standards, and report forms to promote uniformity in the
supervision of financial institutions". One of the standards that has been created for the
entire banking industry regulation is the FFIEC Cybersecurity Assessment Tool (CAT) in
May 2017.
FFIEC Cybersecurity Assessment Tool (CAT) was developed to help institutions
identify their risks and determine their cybersecurity preparedness. The Assessment
provides a repeatable and measurable process for institutions to measure their
cybersecurity preparedness over time. The Assessment incorporates cybersecurity-
related principles from the FFIEC Information Technology (IT) Examination Handbook
and regulatory guidance, and concepts from other industry standards, including the
National Institute of Standards and Technology (NIST) Cybersecurity Framework.
InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and
members of the private sector for the protection of U.S. Critical Infrastructure. Through
seamless collaboration, InfraGard connects owners and operators within critical
infrastructure to the FBI, to provide education, information sharing, networking, and
workshops on emerging technologies and threats. InfraGard’s membership includes:
business executives, entrepreneurs, lawyers, security personnel, military and
government officials, IT professionals, academia and state and local law enforcement—
all dedicated to contributing industry-specific insight and advancing national security.
International Standards Office 27001 - ISO/IEC 27001 is widely known, providing
requirements for an information security management system, though there are more
than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations
of any kind to manage the security of assets such as financial information, intellectual
property, employee details or information entrusted by third parties.
NAIC Insurance Data Security Model Law – This Model Law was proposed by the
NAIC to all of its members in October 2017. This model regulation requires insurers and
other entities licensed by state insurance departments to develop, implement and
maintain an information security program; investigate any cybersecurity events; and
notify the state insurance commissioner of such events.
As of June 2020, the NAIC Insurance Data Security Model Law has been adopted in 11
states: AL, CT, DE, IN, LA, MI, MS, NH, OH, SC and VA. Additionally, New York has its
own version of this act in place since 2017.

11/24/2023 7
National Association of Insurance Commissioners (NAIC) - The National
Association of Insurance Commissioners is the U.S. standard-setting and regulatory
support organization created and governed by the chief insurance regulators from the
50 states, the District of Columbia, and five U.S. territories.
New York State Department of Financial Services 23 NYCRR 500 – This regulation
provides for Cybersecurity Requirements for Financial Services Companies which
operate under the regulation of the department. This regulation has been effective since
March 1, 2017. It is considered much more intrusive that the NAIC Insurance Data
Security Model Law
National Institute of Standards and Technology (NIST) is a physical sciences
laboratory and non-regulatory agency of the United States Department of Commerce.
Its mission is to promote American innovation and industrial competitiveness. One of its
projects was to produce the NIST cybersecurity framework. It is a powerful tool to
organize and improve cybersecurity programs. It is a set of guidelines and best
practices to help organizations build and improve their cybersecurity posture.
Tactical Plan: Tactical planning is the step taken after a business or team creates a
strategic plan to break that plan into smaller objectives and goals. A tactical plan is
used to define goals and determine how they will be achieved through actions and
steps. In the information technology industry a tactical plan should cover a total of 36 to
48 months. Every eighteen months the tactical plan needs to be revised and extended.
Strategic Plan: Strategic planning is a process in which an organization's leaders
define their vision for the future and identify their organization's goals and
objectives. The process includes establishing the sequence in which those goals
should be realized so that the organization can reach its stated vision. In the information
technology industry a strategic plan should cover a total of ten to twelve years. Every
thirty-six months the strategic plan needs to be revised and extended.

11/24/2023 8
APPENDIX B: Assessment Methodology
Over the past ten years regulatory agencies recognize the increasing volume and
sophistication of cyber threats and are increasing their expectations for financial
institutions to mitigate these cybersecurity risks.
The Need for Criteria for the Assessment
In the insurance industry, the NAIC has responded with its continuing implementation of
the NAIC Insurance Data Security Model Law. The Model Law is in place, but the NAIC
has yet to provide implementation and assessment guidance. Thus, TAG had to select
a set of acceptable criteria that could be adjusted to the insurance industry situation.
Banking Industry Approach
In the banking industry, the Federal Financial Institutions Examination Council (FFIEC)
released the Cybersecurity Assessment Tool (CAT) in 2015 (subsequently updated in
2017) to help banking institutions identify their risks and determine their cybersecurity
preparedness with a repeatable and measurable process.
Since the release of this criteria for assessments, the National Credit Union
Administration (NCUA) has developed the Automated Cybersecurity Examination Tool
(ACET) to help credit unions assess their cybersecurity readiness.
The National Institute of Standards and Technology (NIST) has been publishing since
1990s through their Computer Security Resource Center (CSRC) information
technology standards applicable to the Federal Government. NIST Special Publication
800-53 – Revision 5 – Security and Privacy Controls for Information Systems and
Organizations (NIST 800-53) is the current overall criteria being used by the Federal
Government in its assessment of cybersecurity programs.
Criteria Used to Create the FFIEC CAT
The CAT content was jointly developed by FFIEC and NIST experts using NIST 800-53
as the controlling criteria. The CAT was detailed to meet the needs of the banking
regulators to have criteria for the banks they regulate to have a tool to assess their
cybersecurity programs. The CAT is designed to support a banking institution’s
measurement of inherent cybersecurity risk and then evaluate the maturity level of
internal controls to bring the inherent risk down to a residual risk level which was
acceptable.
TAG chose to use the FFIEC CAT as the base criteria for the Cybersecurity
Assessment at TPA. TAG used its extensive banking and insurance information
technology general controls background to make minor adjustments to the TPA
situation. This approach will build a measurable picture of TPA's levels of risk and
preparedness.

11/24/2023 9
FFIEC Resources Used
The FFIEC offers several resources to assist financial institutions with cybersecurity risk
assessment and preparedness.
• An executive overview
• A user’s guide
• An online presentation
• Appendices mapping the Tool’s baseline maturity statements to the FFIEC IT
Handbook, mapping all maturity statements to the NIST Cybersecurity
Framework
• Glossary of terms
How IT Works
This CAT approach helps a user of the criteria weigh specific risks, such as gaps in IT
security, versus controls or solutions aimed to prevent, detect, and respond to these
threats and determine areas for improvement. Each user of this CAT criteria is then
responsible for identifying its own risk appetite and establishing its desired level of
maturity.
Using the CAR will help TPA to understand where its security practices fall short and
how to effectively address those gaps. In using the CAT tool to assess TPA’s
cybersecurity readiness, this CAR presents a set of assessment observations and
findings for consideration by TPA Management.
The Two Parts of the CAT
The CAT essentially consists of two parts: Inherent Risk Profile by Category and
Cybersecurity Maturity by Domain.
1. Inherent Risk Profile by Category
The Inherent Risk Profile identifies the inherent risk that is present in the situation being
assessed. The CAT is structured to identify inherent risk relevant to cyber threats and
the profile is divided into five risk categories.
For the TPA situation, the Online/Mobile Products and Technology Services category
was removed. TPA does not have any of these types of inherent risks due to the actual
business model being used.
For this Cybersecurity Assessment Report the following four categories of inherent risk
were included in the diligent inquiry:

11/24/2023 10
• Technologies and Connection Types - Certain types of connections and
technologies may pose a higher risk depending on the complexity and maturity, number
of connections, and nature of the technology products or services.
• Delivery Channels - Inherent risk increases as the variety and number of delivery
channels increases, and delivery channels for products and services may pose a higher
inherent risk depending on the nature of the specific product or service offered.
• Organizational Characteristics - Financial institutions must also consider
organizational characteristics, such as mergers and acquisitions, the number of direct
employees and cybersecurity contractors, changes in security staffing, the number of
users with privileged access, changes in the IT environment and within branches, and
locations of operations and data centers.
• External Threats - This requires careful evaluation of both the volume and
sophistication of the attacks targeting the institution, including attempted attacks as well
as those that were ultimately successful.
Within each of the above risk categories there are from one to fourteen detailed risk
factors within the CAT methodology. For each detailed risk factor there is a short
statement at each level of inherent risk. The assessment process leads the user to
select the highest risk level that fits the present situation. For each detail risk factor
selected for the TPA situation an appropriate Risk Level was determined.

11/24/2023 11
The above chart details three of the detail risk factors within the Technologies and
Connection Types category and how the five Risk Levels are used to determine the
current state. You will note the example is from the Technologies and Connections
Types category of Inherent Risks with the five statements covering the Risk Levels. The
Inherent Risk Levels are Least, Minimal, Moderate, Significant, and Most.
After reviewing each category and the various statements, the project created a Risk
Profile Summary and determined that TPA’s Inherent Risk Level summarizes to just
barely within the Minimal Inherent Risk level. The following are the definitions used for
each Risk Level:
• Least Inherent Risk: These types of institutions have limited use of
technology, zero connections, products and services are limited, and a
small footprint, and few employees.
• Minimal Inherent Risk: Institutions within this category have limited
variety of less risky products/services; mission-critical systems are
outsourced; use established technologies; and maintain few types of
connections with limited complexity.
• Moderate Inherent Risk: These institutions use somewhat complex
technology in terms of volume and sophistication; may outsource mission-
critical systems; have a greater variety of products and services offered
through diverse channels.
• Significant Inherent Risk: These types of institutions use complex
technology; offer high-risk products/services that may include emerging
technologies; may host significant number of applications internally; have
a substantial number of connections to customers and third parties; offer a
variety of payments directly or through a third party; and may have
significant volume.
• Most Inherent Risk: These institutions use extremely complex information
technologies to deliver a myriad of products and services which may be at
highest level of risk, including being offered to other organizations. They
tend to use new and emerging technologies across multiple delivery
channels; outsource some mission critical systems of application software
but most are hosted internally; and maintain a large number of internet
connections.
In addition to the cumulative total, institutions may also wish to tally the risk columns for
each category in order to fully understand which categories may pose additional risks
for the institution.

11/24/2023 12
2. Cybersecurity Maturity Domains
Once the Inherent Risk Profile has been determined, the project focused on the
Cybersecurity Maturity section of the CAT. This step in the project determines the
maturity level of the cybersecurity controls at TPA within the following five domains:
• Domain 1: Cyber Risk Management and Oversight - focuses on the Board of
Directors’ oversight and management’s development and implementation of an effective
enterprise-wide cybersecurity program.
• Domain 2: Threat Intelligence and Collaboration - includes processes to effectively
discover, analyze, and understand cyber threats, as well as the capability to share
information internally and with appropriate third-parties.
• Domain 3: Cybersecurity Controls - the practices and processes used to protect
assets, infrastructure, and information by strengthening the institution’s defensive
posture through continuous, automated protection and monitoring.
• Domain 4: External Dependency Management - involves establishing and
maintaining a comprehensive program to oversee and manage external connections
and third-party relationships that have access to the institution’s technology and
information.
• Domain 5: Cyber Incident Management and Resilience - establishing, identifying,
and analyzing cyber events, as well as the ability to prioritize, contain, and mitigate
during cyber events. The institution should also have the ability to inform the appropriate
stakeholders. Cyber resilience includes both planning and testing to maintain and
recover ongoing operations during (and following) a cyber incident.
Levels of Maturity
Within each of the above five domains there are individual assessment factors grouped
within contributing components. Under each individual assessment factor there are
declarative statements describing an activity that supports the assessment factor at that
level of maturity. In responding to the selected declarative statements, the TPA team
selected between two answers: Yes or No.
To determine maturity levels, the project gathered the answers to the declarative
statements within each Domain for each Maturity Level. After reviewing each Domain
and the declarative statements, the project created a Maturity Level Summary. The
project determined that TPA’s overall Maturity Level summarizes to just barely within
the Evolving Maturity Level.

11/24/2023 13
.
Interpreting and Analyzing the Assessment Results: Generally speaking, as the risk
profile increases, so should the institution’s maturity level. If the maturity level does not
meet the inherit risk profile, management should consider reducing the risk profile or
developing a strategy to improve maturity levels.

11/24/2023 14
Appendix C: Background on TPA Information Processing
Third Party Administrator (TPA)
Third Party Administrator (“TPA”) provides turn-key exit strategies for discontinued and
non-strategic lines of business placed into run-off by insurers and reinsurers. TPA also
provides value-added consulting services to the insurance industry for acquisition,
restructuring, run-off, claim and underwriting issues.
TPA is a provider of third-party services to Workman’s Compensation Insurance
Company concerning a block of workers’ compensation insurance within the State of
Louisiana.
Workman’s Compensation Insurance Company
Workman’s Compensation Insurance Company (“WCIC”) is the client for TPA services
which is requesting a more formal assessment of the information security risks
concerning the processing of workers’ compensation claims. WCIC is a whole owned
subsidiary of FinlandRe.
WCIC is the successor in interest to the Louisiana Workers Compensation Assigned
Risk Pool (“Pool”). In 1953, the Louisiana Legislature created the Pool as an
unincorporated association of workers' compensation insurers. The Pool acted as the
insurer of last resort for Louisiana employers who could not obtain workers'
compensation insurance in the private market. Louisiana law required all workers'
compensation insurance carriers to participate in the Pool in proportion to their
individual level of Louisiana business.
The Pool contracted with several of its member insurance companies to provide a
variety of services for the Pool. These servicing companies issued policies, collected
premiums, adjusted claims, and improved the insureds' workplace safety through
accident prevention measures.
In 1997, the Louisiana Legislature authorized the unincorporated association of insurers
which constituted the Facility to sell the assets and liabilities of the Facility to a private
insurance company, the Facility Insurance Corporation (“WCIC”). The former members
of the Facility became shareholders of WCIC's parent corporation. By statute, WCIC
was to be considered a continuation of the Facility. After the sale of the Facility, WCIC
has been acting as the insurer on the existing policies.
For a number of years, TPA has been providing the processing to WCIC. This
processing is for the workers’ compensation claims within the block of business created
when WCIC became the insurer for the existing policies of the Pool.
Now TPA is providing the processing to FinlandRe because WCIC has been absorbed
by FinlandRe.

11/24/2023 15
Finland Reinsurance Company
Finland Reinsurance Company (FinlandRe) is a reinsurance company based in
Helsinki, Finland. It is one of the world's largest reinsurers, as measured by net
premiums written. FinlandRe operates through offices in more than 15 countries and
was ranked 148th in Forbes Global 2000 leading companies list in 2016, It was also
ranked 333th on the Fortune Global 500 in 2015.
FinlandRe staff is active in reviewing the services being provided by TPA. The internal
audit staff periodically reviews the claim payment process business process.
Recently FinlandRe asked TPA to benchmark the TPA security controls against industry
standards such as ISO/IEC 27001, NIST etc.
Insurance Data Security Law
The NAIC Insurance Data Security Model Law which requires insurers and other entities
licensed by state insurance departments to develop, implement and maintain an
information security program; investigate any cybersecurity events; and notify the state
insurance commissioner of such events.
Over the past five years, thirteen states have adopted the NAIC Insurance Data
Security Model Law. The State of Louisiana where WCIC is regulated has not yet
passed this model act.
This project would be considered benchmarking of the current state at TPA to establish
a more formal program of cybersecurity (data security) to conform with the regulations
that are being established.
FinlandRe’s American operations fall generally under the regulation of the New York
State Department of Financial Services. On March 1, 2017, this state enacted
regulations covering cybersecurity requirements for financial services companies. This
regulation is known as the New York State Department of Financial Services 23
NYCRR 500.

11/24/2023 16
Appendix D: TPA Inherent Risk Profile
The purpose of the TPA Inherent Risk Profile is to document the current state of the
information processing and how that processing creates negative risks. For the TPA
situation the following risk level categories were included in the TAG diligent inquiry:
Risk Level Categories
Number
of
Inquires
Percentage of
Inquires
Technology and Connection Types 14 56.00%
Delivery Channels 3 12.00%
Organization Characteristics 7 28.00%
External Threats 1 4.00%
Totals: 25 100.00%
The inherent risks that we were primarily concerned with are the negative risks within
the current information processing environment.
After looking at the Inherent Risk Profile the project moved on to assessing the current
state of the internal control framework that is in place at TPA. The methodology is to
see if current maturity level of the internal controls provides appropriate coverage for the
Inherent Risks. This process will also document internal control areas that need to be
improved.
Risk Level Categories
Least
Risk
Level
Minimal
Risk
Level
Moderate
Risk
Level
Significant
Risk Level
Most
Risk
Level
Technology and Connection
Types
5 8 0 0 1
Delivery Channels 2 1 0 0 0
Organization Characteristics 7 0 0 0 0
External Threats 1 0 0 0 0
Totals: 15 9 0 0 1
Risk Level Percentage: 60.00% 36.00% 0.00% 0.00% 4.00%
Single Most Risk Level Item
The highlighted in red item in the Most Risk Levels column was:
End-of-Life (EOL) systems
Most Risk Level Criteria - Majority of critical operations dependent on systems
that have reached EOL or will reach EOL within the next 2 years or an unknown
number of systems that have reached EOL

11/24/2023 17
The underlying application software and the installed servers are technology that
provide the information processing that is required for supporting the claim processing
activities required by FinlandRe.
Overall Inherent Risk Profile
TPA’s inherent risk profile reveals 60% of the Risk Levels were measured at the Least
Risk Level and 36% of the of the Risk Levels were measured at the Minimal Risk Level.
This creates an overall “Low Minimal Risk Level” for the TPA operation.
TPA has no plans to make major changes to the services it is providing. Additionally,
TPA is not planning any major hardware or software changes to the existing information
process environment.
The one Most Risk Level item concerns EOL systems that have been in place since the
servicing operation was created in the 1990s. There is not a viable business case for
pursuing costly upgrades in the foreseeable future. This compels TPA to secure these
legacy systems using an effective internal control framework.
The next step in the assessment is to look at the internal control framework and
determine its maturity levels and existing gaps. Once the gaps are identified there will
be a need to look at compensating internal controls to mitigate the vulnerabilities.
Four Inherent Risk Categories Used
The inherent risk profile includes a list of questions about specific risk categories and it
is critical that the responses be based on current information. TPA personnel completed
the profile and took care not to guess at the answers; the inability to accurately
complete the assessment is itself a vulnerability.
In completing the Inherent Risk Profile, TPA personnel use the CAT based guidance
comments to identify the appropriate Risk Level (Least-Minimal-Moderate-Significant-
Most) for each of the sections below.
The four Inherent Risk Categories are:
Technologies and Connection Types: Some of the topics covered in this category
include the number of Internet service provider (ISP) and third-party connections;
whether systems are hosted internally or outsourced; the number of unsecured
connections; the use of wireless access; volume of network devices; end-of-life
systems; extent of cloud services; and use of personal devices.
Delivery Channels: Inherent risk increases as the variety and number of delivery
channels increases. This category addresses whether products and services are

11/24/2023 18
available through online and mobile delivery channels and the extent of automated teller
machine (ATM) operations.
Organizational Characteristics: This category considers organizational
characteristics, such as mergers and acquisitions, number of direct employees and
cybersecurity contractors, changes in security staffing, the number of users with
privileged access, changes in information technology (IT) environment, locations of
business presence, and locations of operations and data centers.
External Threats: The volume and type of attacks (attempted or successful) affect an
institution’s inherent risk exposure. This category considers the volume and
sophistication of the attacks targeting the institution.
Summary of Risk Level Category Inquiries
Risk Level Categories Least Minimal Most
Total Inquiry Response by Risk Level 15 9 1
Percentage 60.00% 36.00% 4.00%
Technology and Connection Types 5 8 1
Total number of Internet (ISP) connections 1
Unsecured external connections 1
Wireless network access 1
Personal devices allowed to connect to the corporate
network
1
Third parties with access to internal systems 1
Policyholders and agents with dedicated connections 1
Internal Applications supporting critical activities 1
Vendor‐developed applications supporting critical activities 1
User‐developed technologies and user computing that
support critical activities
1
End‐of‐life (EOL) systems 1
Open Source Software (OSS) 1
Network devices (e.g., servers, routers, and firewalls;
include physical and virtual)
1
Third‐party service providers 1
Cloud computing services 1

11/24/2023 19
Delivery Channels 2 1
Online presence (Policyholder) 1
Mobile presence 1
Automated Teller Machines (ATM) 1
Organization Characteristics 7
Mergers and acquisitions 1
Direct employees 1
Changes in IT and information security staffing 1
Privileged access (Administrators–network, database,
applications, systems, etc.)
1
Changes in IT environment 1
Locations of branches/business presence 1
External Threats 1
Attempted cyber attacks 1

11/24/2023 20
Appendix E: TPA Internal Controls Maturity Assessments
The purpose of this TPA Internal Controls Maturity Assessment is to document the
current state concerning the maturity level of the thirty Components within a holistic
cybersecurity internal control framework.
This documentation can then be used to determine if TPA has a maturity level within the
internal controls that will mitigate its inherent risks that have been identified earlier to a
residual level of risk that is acceptable to TPA Management. The process also points
out Components within the internal control universe that need attention by TPA
Management.
Structure of the Assessment Tool
The thirty Components have been organized within ten Assessment Factors and five
Domains. For each Component there are a number of Individual Assessment Factors
(IAFs) which are declarative statements. A “yes” or “no” answer is determined for each
of there IAFs to establish a picture of TPA’s achievements in creating internal controls
to mitigate inherent risks.
The IAFs are organized for each Component into five layers of maturity. If all the IAFs
within a layer of maturity have been answered “yes” then TPA has reach that level of
maturity. For this project there were a 454 IAFs used.
The project used as its authority criteria the FFIEC’s Cybersecurity Assessment Tool
from 2017.
Gross Level of Maturity
For the TPA situation the following Domains of Internal Controls were included in the
TAG diligent inquiry into the levels of maturity that are present:
 Domain 1: Cyber Risk Management and Oversight
 Domain 2: Threat Intelligence and Collaboration
 Domain 3: Cybersecurity Controls
 Domain 4: External Dependency Management
 Domain 5: Cyber Incident Management and Resilience
The first look at TPA’s existing cybersecurity internal controls was to exam the
achievements within each of the five Domains. TPA has created its cybersecurity
internal controls to address the risk issues that were known to management and the
staff.
The overall assessment was to determine TPA created a holistic internal control
framework or are there corporate cultural issues that have led to major gaps in the
internal controls being created.

11/24/2023 21
Cybersecurity Maturity Domains and
IAFs
IAFs
Achieved
IAFs
Achieved
Improvement
Needed
Domain 1: Cyber Risk Management and
Oversight 57 40.42% 84
Domain 2: Threat Intelligence and
Collaboration 14 31.81% 30
Domain 3: Cybersecurity Controls 73 48.99% 76
Domain 4: External Dependency
Management 12 27.27% 32
Domain 5: Cyber Incident Management
and Resilience 28 36.84% 48
Totals: 184 270
Percentage: 40.53% 59.47%
Overall, the achievement level at TPA is only 40.53 percent against the entire
population of IAFs. This is not a “bad” score for an organization that has overall Inherent
Risks that are present and have been measured as just within the “Minimal” Inherent
Risk Level.
The lowest score is within the “External Dependency” Domain. TPA’s has very limited
contact with and use of external information processing. It is clear that Management and
the staff are not looking for inherent risks in this area because their information
technology ecosystem does not contain information processing by outsiders other than
the storage of backups.
Only very large and complex organizations have to address achievement within all IAFs.
Example would be if FinlandRe preformed this same assessment it would most likely be
at the “Most” Inherent Risk Level. For this level of inherent risk, the initial assessment
should have IAFs achievement of over 95% or the assessor would be extremely
concerned about the condition of Cybersecurity internal control framework.
Achievement Within Required Levels of Maturity
This next viewpoint looks at a summary of the IAFs that would be considered within the
two maturity levels that TPA has to embrace as its focus for the required cybersecurity
internal control framework elements to meet its needs. TPA’s Inherent Risk Level is just

11/24/2023 22
on the low side of Minimal Inherent Risk. Experts recommend covering this level of
inherent risks the organization must have internal controls in place that are at a level of
maturity covering all of Baseline Level of Maturity and reaching well into the Evolving
Level of Maturity. This CAR takes the conservative approach and place TPA’s Inherent
Risk Profile needs calling for an overall Evolving Maturity Level.
There was a total of 218 IAFs that were included in the five Domains within the
Cybersecurity Assessment Tool (CAT) being used for measurement within the Baseline
and Evolving Levels of Maturity.
In expecting TPA to move from the Baseline Level of Maturity into the Evolving Level of
Maturity, TPA needs to concentrate on these 218 IAFs in its tactical plan. TPA also
needs to have Management confirm which IAFs should be eliminated from the
assessment process because they are not applicable to the situation at TPA.
The following is a summary of the IAFs that were included within the TAG diligent
inquiry within Baseline and Evolving Domains:
Cybersecurity Maturity Domains and IAFs
IAFs
Achieved %
Improvement
Needed
Oversight 44 67.69% 21
Collaboration 10 66.66% 5
Domain 3: Cybersecurity Controls 52 66.66% 26
Management 12 46.15% 14
Domain 5: Cyber Incident Management and
Resilience 18 52.94% 16
Totals: 136 82
Percentage: 62.39% 37.61%
Looking at the Maturity Level needed given the TPA’s Inherent Risks Profile, the
achievement level at TPA is 62.39% at a gross level.
Once again we see the lowest score is within the “External Dependency” Domain.
TPA’s has very limited contact with and use of external information processing. It is
clear that Management and the staff are not looking for inherent risks in this area
because of their information technology ecosystem does not contain information
processing by outsiders other than the storage of backups.
The other lagging Domain is Cyber Incident Management and Resilience. TPA has yet
to have a confirmed breach. This lack of experience with ransomware, malware and

11/24/2023 23
leaks of personnel information tends to make Management and Staff at most
organizations overly optimistic about their ability to recover with less mature controls in
place.
Domain 1: Cyber Risk Management and Oversight
Focusing on the Baseline and Evolving Maturity Levels, TPA Management needs to
understand the IAFs that need attention to raise the maturity level scores for TPA’s
Cybersecurity Internal Control Framework.
Overall, in the Cyber Risk Management and Oversight Domain, TPA had a limited
number of items that need improvement. TPA Management may choose to rely on the
mitigation of some of the risks by looking to its existing entity level controls. This would
allow the IAFs to continue as internal control deficiencies that are being mitigated by
other internal controls.
There are only three of the nine Categories of IAFs that are not achieving “Baseline”.
Two of these Categories can achieve “Baseline” with addressing just one IAF. The
Category “Audit” is going to be one of the major discussion points after a formal
Cybersecurity Risk Assessment has been completed.
Here is the summary of the current state at TPA for each group of IAFs:
Baseline Baseline Evolving Evolving
Yes No Yes No
Oversight
Assessment Factor: Governance
Component: Oversight 5 0 4 0
Component: Strategy /Policies 7 0 1 2
Component: IT Asset Management 4 0 3 1
Assessment Factor: Risk Management
Component: Risk Management Program 1 0 1 2
Component: Risk Management 2 1 2 1
Component: Audit 0 4 0 5
Component: Staffing 2 0 2 2
Component: Training 3 1 3 2
Component: Culture 1 0 3 0
Areas Where Improvements Need to be Considered
1. Component: Strategy/Policies – Two Evolving IAFs
Item 1 IAF: The institution augmented its information security strategy to
incorporate cybersecurity and resilience.

11/24/2023 24
TPA Management needs to add a simple written information security strategic
plan. This strategy plan needs to include creating a formal cybersecurity
program.
Item 2. IAF: The institution has a formal cybersecurity program that is based on
technology and security industry standards or benchmarks.
TPA Management needs to create a simple program charter for the TPA
Cybersecurity Program. This charter would assign program responsibilities to
members of the TPA staff for the various internal controls contained within the
cybersecurity program.
2. Component: IT Asset Management – One Evolving IAFs
Item 1. IAF: The institution has a documented asset life-cycle process that
considers whether assets to be acquired have appropriate security safeguards.
TPA Management needs to add a simple written asset management policy. This
policy needs to cover the existing hardware and software assets.
3. Component: Risk Management Program – Two Evolving IAFs
Item 1. IAF: The risk management program incorporates cyber risk identification,
measurement, mitigation, monitoring, and reporting.
TPA Management needs to add a simple written TPA Cybersecurity Program
which will be the first piece of an overall ERM Program. This policy needs to
cover the existing information technology ecosystem.
Item 2. IAF: Management monitors moderate and high residual risk issues from
the cybersecurity risk assessment until items are addressed.
TPA Management needs to determine which gaps discussed in this CAR are
moderate and high residual risk issues. After these decisions are made, an
inventory can be created and maintained.
4. Component: Risk Management – One Baseline IAF
Item 1. IAF: A risk assessment focused on safeguarding customer information
identifies reasonable and foreseeable internal and external threats, the likelihood
and potential damage of threats, and the sufficiency of policies, procedures, and
customer information systems.
Within the written TPA Cybersecurity Program, TPA Management needs to
develop a simple written risk assessment concerning the personal information
being used within the processing. This risk assessment needs to cover the
existing information technology ecosystem.

11/24/2023 25
5. Component: Risk Management – One Evolving IAF
Item 1. IAF: Risk assessments are used to identify the cybersecurity risks
stemming from new products, services, or relationships.
Within the written TPA Cybersecurity Program, TPA Management needs to
clearly document that there are no current plans for new products, services, or
relationships that would add additional processing to the existing information
technology ecosystem.
6. Component: Audit – Four Baseline IAFs
Item 1. IAF: Independent audit or review evaluates policies, procedures, and
controls across the institution for significant risks and control issues associated
with the institution's operations, including risks in new products, emerging
technologies, and information systems.
Completing this review by TAG will accomplish this IAF.
Item 2. IAF: The independent audit function validates controls related to the
storage or transmission of confidential data.
Within the FinlandRe internal audits, TPA Management needs to determine if the
scope of these internal audits include the controls related to the storage or
transmission of confidential data.
Item 3. IAF: Logging practices are independently reviewed periodically to ensure
appropriate log management (e.g., access controls, retention, and maintenance).
Cybersecurity Program. This charter would assign responsibilities for a member
of the TPA staff to independently review log management.
Item 4. IAF: Issues and corrective actions from internal audits and independent
testing/assessments are formally tracked to ensure procedures and control
lapses are resolved in a timely manner.
In responding to the FinlandRe internal audits, TPA Management needs have a
formal process to formally track issues and their resolution.
7. Component: Audit – Five Evolving IAFs
Item 1. IAF: The independent audit function validates that the risk management
function is commensurate with the institution’s risk and complexity.
TPA Management needs to formally document how it addresses the internal
audit function to address the residual risks.

11/24/2023 26
Item 2. IAF: The independent audit function validates that the institution’s threat
information sharing is commensurate with the institution’s risk and complexity.
TPA Management needs to formally document how it addresses the internal
audit function to address the residual risks.
Item 3. IAF: The independent audit function validates that the institution’s
cybersecurity controls function is commensurate with the institution’s risk and
complexity.
This Cybersecurity Assessment Report provides a diligent inquiry into the current
state of TPA cybersecurity controls function. Management needs to formally
document how it will continue to address the need for internal audits to address
the residual risks.
Item 4. IAF: The independent audit function validates that the institution’s third-
party relationship management is commensurate with the institution’s risk and
complexity.
This Cybersecurity Assessment Report provides a diligent inquiry into the current
state of TPA cybersecurity controls function including third-party relationship
management. Management needs to formally document how it will continue to
address the need for internal audits to address the residual risks concerning third
parties.
Item 5. IAF: The independent audit function validates that the institution’s incident
response program and resilience are commensurate with the institution’s risk and
complexity.
Cybersecurity Program which will include an incident response program and
policy. The charter would assign incident response program responsibilities to
members of the TPA staff.
8. Component: Staffing – Two Evolving IAFs
Item 1. IAF: A formal process is used to identify cybersecurity tools and expertise
that may be needed.
Cybersecurity Program which will include a process for expanding the
cybersecurity tools and expertise to continue to improve the maturity of the
internal controls.
Item 2. IAF: Staff with cybersecurity responsibilities have the requisite
qualifications to perform the necessary tasks of the position.

11/24/2023 27
Cybersecurity Program which has provisions for having access to the proper
expertise.
9. Component: Training – One Baseline IAF
Item 1. IAF: Customer awareness materials are readily available.
TPA Management needs to add to the existing cybersecurity training process an
event addressing the actual TPA Cybersecurity Risk Assessment and the
controls that TPA has implemented to mitigate the Cybersecurity Risks.
10.Component: Training – Two Evolving IAFs
Item 1. IAF: The institution has a program for continuing cybersecurity training
and skill development for cybersecurity staff.
Item 2. IAF: Business units are provided cybersecurity training relevant to their
particular business risks.
Domain 2: Threat Intelligence and Collaboration
Focusing on the Baseline and Evolving Maturity Levels, Management needs to
understand the IAFs that need attention to raise the maturity level scores for TPA.
Overall, within the Threat Intelligence and Collaboration Domain, TPA had a limited
number of items that need improvement. TPA Management may choose to rely on the
mitigation of some of the risks by looking to their existing entity level controls. This
would allow the IAFs to continue as internal control deficiencies that are being mitigated
by other internal controls.
Only two IAFs need attention to bring the entire Domain to achieve a “Baseline”
measure of maturity.
Yes No Yes No
Collaboration

11/24/2023 28
Assessment Factor: Threat Intelligence
Component: Threat Intelligence &
Information 3 0 1 0
Component: Monitoring and Analyzing 2 1 1 2
Component: Information Sharing 2 1 1 1
1. Component: Monitoring and Analyzing – One Baseline IAFs
Item 1 IAF: Threat information is used to monitor threats and vulnerabilities.
members of the TPA staff for monitoring and analyzing threats.
2. Component: Monitoring and Analyzing – Two Evolving IAFs
Item 1 IAF: A process is implemented to monitor threat information to discover
emerging threats.
members of the TPA staff for monitoring and analyzing threats.
Item 2. IAF: Monitoring systems operate continuously with adequate support for
efficient incident handling.
members of the TPA staff for continuous monitoring and incident handling.
3. Component: Information Sharing – One Baseline IAFs
Item 1 IAF: Contact information for law enforcement and the regulator(s) is
maintained and updated regularly.
members of the TPA staff for law enforcement contact.
4. Component: Monitoring and Analyzing – One Evolving IAFs
Item 1 IAF: A representative from the institution participates in law enforcement
or information-sharing organization meetings.

11/24/2023 29
members of the TPA staff to joint InfraGard.
Domain 3: Cybersecurity Controls
The Cybersecurity Controls Domain is divided into three sections based on the type of
control: Preventative, Detective and Corrective. Historically, Preventative Controls are
the most important within a Cybersecurity Program.
This Cybersecurity Controls Domain will be the focus of most of the improvements
needed to bring TPA overall Maturity Level to “Baseline”. There are ten IAFs that need
attention.
Yes No Yes No
Assessment Factor: Preventative Controls
Component: Infrastructure
Management 10 0 4 2
Component: Access and Data
Management 15 2 3 2
Component: Device /End-Point Security 1 0 4 1
Component: Secure Coding 0 0 0 0
Assessment Factor: Detective Controls
Component: Threat and Vulnerability
Detection 3 1 3 2
Component: Anomalous Activity
Detection 1 3 2 2
Component: Event Detection 3 2 0 1
Assessment Factor: Corrective Controls
Patch Management 2 1 0 5
Remediation 0 1 1 0
1. Component: Access and Data Management – Two Baseline IAFs

11/24/2023 30
Item 1 IAF: Customer access to Internet-based products or services requires
authentication controls (e.g., layered controls, multifactor) that are commensurate
with the risk.
TPA Management needs to create a format risk assessment that shows the lack
of residual risk presented by claimant access.
Item 2 IAF: Mobile devices (e.g., laptops, tablets, and removable media) are
encrypted if used to store confidential data. (*N/A if mobile devices are not used.)
TPA Management needs to determine if confidential data can be removed from
the data files and transferred to mobile devices.
2. Component: Access and Data Management – Two Evolving IAFs
Item 1 IAF: Changes to user access permissions trigger automated notices to
appropriate personnel.
TPA Management needs to determine the internal controls that need to be
implemented based on the inherent risk being presented within the existing user
access process.
Item 2. IAF: Use of customer data in non-production environments complies with
legal, regulatory, and internal policy requirements for concealing or removing of
sensitive data elements.
TPA Management needs determine where customer data is being stored and
determine what polices need to be implemented.
3. Component: Device/End-Point Security – One Evolving IAF
Item 1 IAF: The institution has controls to prevent the unauthorized addition of
new connections.
TPA Management needs to create policies concerning the addition of new
connections and the monitoring of connections being used.
4. Component: Secure Coding – All Baseline IAFs and IAFs Marked as Not
Applicable
TPA is not actively creating any major changes to the existing application
software. Bug fixes only are being made to the production code. Management
should look at the process and determine if additional documentation and change
control needs to be present.
5. Component: Threat and Vulnerability Detection – One Baseline IAF
Item 1 IAF: Antivirus and anti-malware tools are used to detect attacks.

11/24/2023 31
TPA Management needs to discuss creating policies about antivirus and anti-
malware tools and then to add to the available tools antivirus and anti-malware
tools.
6. Component: Threat and Vulnerability Detection – Two Evolving IAFs
Item 1 IAF: Vulnerability scanning is conducted and analyzed before
deployment/redeployment of new/existing devices.
TPA Management needs to discuss creating policies about the process of
vulnerability scanning and then determine if TPA should add to the available
tools vulnerability scanning tools.
Item 2 IAF: Processes are in place to monitor potential insider activity that could
lead to data theft or destruction.
TPA Management needs to discuss creating policies about monitoring insider
activity and then determining if TPA should add to the available tools monitoring
of insider activity.
7. Component: Anomalous Activity Detection – Two Baseline IAFs
Item 1 IAF: The institution is able to detect anomalous activities through
monitoring across the environment.
TPA Management needs to discuss creating policies concerning monitoring for
anomalous activity and then determine if TPA should add to the available tools
monitoring tools.
Item 2 IAF: Customer transactions generating anomalous activity alerts are
monitored and reviewed.
anomalous activity and then determine if TPA should add to the available tools
monitoring tools.
8. Component: Anomalous Activity Detection – Two Evolving IAFs
Item 1 IAF: Logs provide traceability for all system access by individual users.
TPA Management needs to discuss creating policies concerning logging of all
individual users access to the information technology environment and then
determine if TPA should add to the available tools additional logging tools.
Item 2 IAF: Thresholds have been established to determine activity within logs
that would warrant management response.

11/24/2023 32
TPA Management needs to discuss creating policies concerning logging of all
individual users access to the information technology environment and then
determine the exception ceilings and floors concerning activity that need to be
cleared by management review.
9. Component: Event Detection – Two Baseline IAFs
Item 1 IAF: A normal network activity baseline is established.
TPA Management needs to discuss creating policies concerning determining the
baseline for network activity and how to monitor that activity and then determine
if TPA should add to the available tools monitoring tools.
Item 2 IAF: Processes are in place to monitor for the presence of unauthorized
users, devices, connections, and software.
unauthorized users, devices, connections, and software and then determine if
TPA should add to the available tools monitoring tools.
10.Component: Event Detection – One Evolving IAF
Item 1 IAF: A process is in place to correlate event information from multiple
sources (e.g., network, application, or firewall).
TPA Management needs to discuss creating policies concerning having a holistic
set of monitoring tools that can then produce correlate monitoring and then
determine if TPA should add to the available tools.
11.Component: Patch Management – One Baseline IAF
Item 1 IAF: Patch management reports are reviewed and reflect missing security
patches.
TPA Management needs to discuss creating policies concerning patch
management and how to monitor the patch management activities and then
determine if TPA should add to the available patch management tools.
12.Component: Patch Management – Five Evolving IAFs
Item 1 IAF: A formal process is in place to acquire, test, and deploy software
patches based on criticality.
Item 2 IAF: Systems are configured to retrieve patches automatically.

11/24/2023 33
Item 3 IAF: Operational impact is evaluated before deploying security patches.
Item 4 IAF: An automated tool(s) is used to identify missing security patches as
well as the number of days since each patch became available.
Item 5 IAF: Missing patches across all environments are prioritized and tracked.
13.Component: Remediation – One Baseline IAF
Item 1 IAF: Issues identified in assessments are prioritized and resolved based
on criticality and within the time frames established in the response to the
assessment report
After this Cybersecurity Assessment Report has been reviewed by TPA
Management, management needs to discuss and prioritize the changes to the
overall internal control framework. These changes would include creating tactical
plan to move the Maturity Level of the TPA Cybersecurity Internal Control
framework from a High Baseline to a Medium Evolving. This tactical plans
creation would be an activity that follows the creation of a formal cybersecurity
risk assessment.
Domain 4: External Dependency Management
Overall, in the External Dependency Management Domain, TPA had a limited number
of items that need improvement. TPA Management may choose to rely on the mitigation
of some of the risks by looking to its existing entity level controls. This would allow the
IAFs to continue as internal control deficiencies that are being mitigated by other
internal controls.

11/24/2023 34
TPA’s has very limited contact with and use of external information processing. It is
clear that Management and the staff are not looking for inherent risks in this area
because of their information technology ecosystem does not contain information
processing by outsiders other than the storage of backups.
There are only four IAFs that need attention to bring the External Dependency
Management Domain up to a “Baseline” Level of Maturity.
Yes No Yes No
Management
Assessment Factor: Connections
Component: Connections 1 2 0 5
Assessment Factor: Relationship
Component: Management
Component: Due Diligence 3 0 2 0
Component: Contracts 3 0 0 3
Component: Ongoing Monitoring 1 2 2 2
1. Component: Connections – Two Baseline IAFs
Item 1 IAF: A patch management program is implemented and ensures that
software and firmware patches are applied in a timely manner.
Item 2 IAF: Patch management reports are reviewed and reflect missing security
patches.
2. Component: Connections – Five Evolving IAFs
Item 1 IAF: A formal process is in place to acquire, test, and deploy software
patches based on criticality.

11/24/2023 35
Item 2. IAF: Systems are configured to retrieve patches automatically.
Item 3. IAF: Operational impact is evaluated before deploying security patches.
Item 4. IAF: An automated tool(s) is used to identify missing security patches as
well as the number of days since each patch became available.
Item 5. IAF: Missing patches across all environments are prioritized and tracked.
3. Component: Contracts – Three Evolving IAFs
Item 1 IAF: Responsibilities for managing devices (e.g., firewalls, routers) that
secure connections with third parties are formally documented in the contract.
TPA Management needs to determine based on the Cybersecurity Risk
Assessment results, if this IAF needs to be considered in the cybersecurity
maturity assessment.
Item 2 IAF: Responsibility for notification of direct and indirect security incidents
and vulnerabilities is documented in contracts or service-level agreements
(SLAs).

11/24/2023 36
Item 3 IAF: Contracts stipulate geographic limits on where data can be stored or
transmitted.
4. Component: Ongoing Monitoring – Two Baseline IAFs
Item 1 IAF: Audits, assessments, and operational performance reports are
obtained and reviewed regularly validating security controls for critical third
parties.
Item 2 IAF: Ongoing monitoring practices include reviewing critical third-parties’
resilience plans.
5. Component: Ongoing Monitoring – Two Evolving IAFs
Item 1 IAF: A formal program assigns responsibility for ongoing oversight of third-
party access.
Item 2. IAF: Monitoring of third parties is scaled, in terms of depth and frequency,
according to the risk of the third parties.
Domain 5: Cyber Incident Management and Resilience

11/24/2023 37
Overall, in the Cyber Incident Management and Resilience Domain TPA had three of
the five Categories of IAFs that are not at the “Baseline” Level of Maturity. Management
may need to focus first on this Domain in its Cybersecurity improvement program.
There are four IAFs that need attention to bring the Cyber Incident Management and
Resilience Domain up to a “Baseline” Level of Maturity.
Yes No Yes No
Domain 5: Cyber Incident
Management and Resilience
Assessment Factor : Incident Resilience
Planning and Strategy
Component: Planning 6 0 3 2
Component: Testing 1 1 0 3
Component: Detection 0 3 0 1
Component: Response and Mitigation 1 0 4 4
Assessment Factor : Escalation and
Reporting
Component: Escalation and Reporting 1 1 2 1
1. Component: Planning – Three Evolving IAFs
Item 1 IAF: The remediation plan and process outlines the mitigating actions,
resources, and time parameters.
Assessment results which scenarios would be priority items for the existing
information technology environment.
Item 2. IAF: Due diligence has been performed on technical sources,
consultants, or forensic service firms that could be called to assist the institution
during or following an incident.
TPA has not had any reported events. TPA Management needs to determine
based on the Cybersecurity Risk Assessment results which events would be
priority for outside team members in the remediation of an actual event. The
existing insurance coverage is one of the first steps in creating and verifying the
members of a response team.
2. Component: Testing – One Baseline IAF

11/24/2023 38
Item 1 IAF: Scenarios are used to improve incident detection and response.
3. Component: Testing – Three Evolving IAFs
Item 1 IAF: Recovery scenarios include plans to recover from data destruction
and impacts to data integrity, data loss, and system and data availability.
Assessment results, which scenarios would be priority items for the existing
Item 2. IAF: Widely reported events are used to evaluate and improve the
institution's response.
TPA has not had any reported events. TPA Management needs to determine
based on the Cybersecurity Risk Assessment results, which events would be
priority items for the existing information technology environment.
Item 3. IAF: Information backups are tested periodically to verify they are
accessible and readable.
TPA Management needs to create policies concerning the testing of backups and
the monitoring of the backup testing process.
4. Component: Detection – Three Baseline IAFs
Item 1 IAF: Alert parameters are set for detecting information security incidents
that prompt mitigating actions.
TPA Management needs to create policies concerning alert parameters that are
set for detecting information security incidents that prompt mitigating actions.
Item 2. IAF: System performance reports contain information that can be used as
a risk indicator to detect information security incidents.
TPA Management needs to create policies concerning systems performance and
the information that can be used as a risk indicator to detect information security
incidents.
Item 3. IAF: Tools and processes are in place to detect, alert, and trigger the
incident response program.

11/24/2023 39
TPA Management needs to create policies concerning the tools and processes
that need to be put in place to detect, alert, and trigger the incident response
program.
5. Component: Detection – One Evolving IAFs
Item 1 IAF: The institution has processes to detect and alert the incident
response team when potential insider activity manifests that could lead to data
theft or destruction.
TPA Management needs to create policies concerning the handling of insider
activity manifests that could lead to data theft or destruction.
6. Component: Response and Mitigation – Four Evolving IAFs
Item 1 IAF: Containment and mitigation strategies are developed for multiple
incident types (e.g., DDoS, malware).
information technology environment to create containment and mitigation
strategies.
Item 2 IAF: Processes are in place to trigger the incident response program when
an incident occurs at a third party.
information technology environment to create containment and mitigation
strategies.
Item 3 IAF: Records are generated to support incident investigation and
mitigation.
Assessment results what records creation policies need to be put in place for the
existing information technology environment.
Item 4 IAF: Analysis of events is used to improve the institution's security
measures and policies.
Assessment results what is going to be the after-incident root cause analyst
program for the existing information technology environment.
7. Component: Escalation and Reporting – One Baseline IAF

11/24/2023 40
Item 1 IAF: Procedures exist to notify customers, regulators, and law
enforcement as required or necessary when the institution becomes aware of an
incident involving the unauthorized access to or use of sensitive customer
information.
Assessment results which new policies need to be implemented to notify
customers, regulators, and law enforcement as required or necessary when the
institution becomes aware of an incident involving the unauthorized access to or
use of sensitive customer information.
8. Component: Escalation and Reporting – One Evolving IAF
Item 1 IAF: Tracked cyber incidents are correlated for trend analysis and
reporting.
Assessment results if this IAF should be marked as “not applicable”.

11/24/2023 41
Appendix F: Cybersecurity Maturity Level Determination
The second activity in the overall assessment was to have TPA look at the maturity
level of the cybersecurity related internal controls that are present in its framework of
internal controls. The maturity level was noted by TPA personnel using the criteria
provided by the FFIEC CAT which ranks for each control from “Baseline” to “Innovative”
each control within five domains.
Maturity Levels Defined
Baseline: Baseline maturity is characterized by minimum expectations required
by law and regulations or recommended in supervisory guidance. This level
includes compliance driven objectives. Management has reviewed and evaluated
guidance.
Evolving: Evolving maturity is characterized by additional formality of
documented procedures and policies that are not already required. Risk-driven
objectives are in place. Accountability for cybersecurity is formally assigned and
broadened beyond protection of customer information to incorporate information
assets and systems.
Intermediate: Intermediate maturity is characterized by detailed, formal
processes. Controls are validated and consistent. Risk-management practices
and analysis are integrated into business strategies.
Advanced: Advanced maturity is characterized by cybersecurity practices and
analytics that are integrated across lines of business. Majority of risk-
management processes are automated and include continuous process
improvement. Accountability for risk decisions by frontline businesses is formally
assigned.
Innovative: Innovative maturity is characterized by driving innovation in people,
processes, and technology for the institution and the industry to manage cyber
risks. This may entail developing new controls, new tools, or creating new
information-sharing groups. Realtime, predictive analytics are tied to automated
responses.
Five Risk Domains

11/24/2023 42
Assessment Factors include: Governance; Risk Management; Resources; Training and
Culture
Governance: Covers strategies for maintaining policy and oversight in cybersecurity
initiatives. Governance of critical business assets for financial services should include
inventory assessment for applicable assets and maintenance of policies for protecting
them against advanced threats. Baseline status indicates that management is having
discussions about risks related to critical infrastructure while an institution with an
Innovative maturity level has a committee to verify management’s actions for mitigating
risks around said critical infrastructure. Policies should be updated and enforcement
should be verified, as well as establishing formal IT asset management inventory with
real time accuracy and classification management. These aspects are necessary in
order to be considered Innovative in governance maturity.
Risk Management: Financial institutions should have assigned officers for risk
management and responsibility for critical business assets. The risk management
function identifies and analyzes commonalities in cyber events that occur both at the
institution and across other sectors to enable more predictive risk management. There
should be a process in place to analyze the financial impact that a cyber incident at the
institution may have across the financial sector.
Organizations should establish a risk management program that performs real time risk
assessments and audit functionality. To be considered Innovative, an institution’s risk
assessments should be updated in real time as changes to the inherent risk profile
occur, new applicable standards are released or updated, and new exposures are
anticipated. Innovative institutions use information from risk assessments to predict
threats and drive real-time responses, as well as advanced or automated analytics.
Institutions should have internal audit teams to identify gaps in existing security
measures. Automated audit reporting for external audits is essential for preparedness
and accuracy.
Resources: Includes staffing, tools, and budgeting processes to ensure the institution’s
staff or external resources have knowledge and experience commensurate with the
institution’s risk profile. Cybersecurity staffing should include proper training and
industry news seminars for up-to-date trends and threat monitoring.
Training and Culture: Includes the employee training and customer awareness
programs contributing to an organizational culture that emphasizes the mitigation of
cybersecurity threats. Having a security awareness program and testing its
effectiveness will enhance overall security culture.

11/24/2023 43
Threat intelligence: Covers the identification, tracking, and ability to predict cyber
threats. An Innovative institution has a threat analysis system that automatically
correlates threat data to specific risks and then takes risk-based automated actions
while alerting management. The institution is investing in the development of new threat
intelligence and collaboration mechanisms (e.g., technologies, business processes) that
will transform how information is gathered and shared. There are a number of open
source threat intelligence feeds that can provide quicker and the most up-to-date threat
intelligence.
Monitoring and Analyzing: Considers how an institution monitors threats and what
analysis is performed to identify and remediate vulnerabilities tied to the targeted
threats. Integrating with other threat intelligence sources and systems is the best holistic
approach for monitoring and alerting for advanced threats. Automatic alerting that is
meaningful and compelling can narrow the scope from traditional log mining techniques
that typically produce many false positives. While a Baseline level institution logs
security events and uses those logs for post event investigations, an Innovative one has
multiple intelligence inputs and tools that enable it to predict attacks and trends.
Information Sharing: Encompasses establishing relationships with peers and
information sharing forums and how threat information is communicated to those groups
as well as internal stakeholders. Sharing cyber threat intelligence with business units in
real time including the potential financial and operational impact of inaction is key
towards becoming more Innovative. A system should automatically inform management
of the level of business risk specific to the institution and the progress of recommended
steps taken to mitigate the risks.
Preventative: The controls for preventative security measures include infrastructure
management, access and asset management, device/endpoint security, and secure
coding practices. Innovative institutions are maintaining risk scores for all of their
infrastructure assets and updates in real time based on threats, vulnerabilities, or
operational changes. An institution should have a process for managing customer,
employee, and third-party authentication and access. There should also be a mix of
encryption and authentication for sensitive transactions and information.
Endpoint protection is critical as that is where data resides and is the most prized
possession from a malicious attack. To protect the “crown jewels” there should be a
centralized end-point management tool that provides fully integrated patch,
configuration, and vulnerability management, while also being able to detect malware
upon arrival to prevent a security incident and/or attack.
Secure coding practices are essential for limiting vulnerabilities found in new software
and, automated tools in the development environment should actively scan software

11/24/2023 44
code so that security weaknesses can be resolved immediately during the design
phase.
Detective: Activities performed for detective controls include: threat and vulnerability
detection, anomalous behavior activity detection, and event detection. Having a central
console that consolidates and provides alerts in real time about both insider and
outsider threats would help an organization qualify as Innovative for detective threat and
vulnerability measures.
There should be automatic alerts when anomalous behavior or security events occur.
The reporting features from the detective solution should provide traceability of the
entire timeline of any security event and respond with corrective actions in real time.
Corrective: Patch management and remediation are considered corrective controls. To
achieve Innovative status there should be a formal process in place to acquire, test, and
rapidly deploy software patches based on criticality, and systems should be configured
to retrieve patches automatically. Remediation steps are key to get all systems back to
acceptable levels for operations and resolved from a security incident.
The institution should be able to remediate systems damaged by zero-day attacks to
maintain current recovery time objectives. Remediation is only effective if it happens
quickly — otherwise, the intended damage is done. Remediation steps after
vulnerability scans, pen tests, risk assessments, and security incidents, should all be in
real-time to achieve Innovative maturity.
Connections: Includes the identification, monitoring, and management of external
connections and data flows to third parties. To be considered Innovative, an institution
should maintain a monitoring tool that records involvement with third parties via
inbound/outbound connections, web portals, or other means of data transfer, this tool
should also have real time alerts for incidents such as unauthorized access attempts
and anomalous behavior.
Relationship Management: Includes due diligence, contracts, and ongoing monitoring
to help ensure controls complement the institution’s cybersecurity program. Third party
risk assessment teams and management should conduct the proper due diligence when
selecting third parties that have some kind of elevated data access privilege.
Diagraming how they receive, store, process, transmit, and ultimately delete the
information to which they have access is an essential step of third party risk
management. Contract language should be structured to secure critical assets and
require performance baselines from vendors and contractors.

11/24/2023 45
Incident Resilience Planning & Strategy: Incorporates resilience planning and testing
into existing business continuity and disaster recovery plans to minimize service
disruptions and the destruction or corruption of data. Baseline level organizations have
identified roles and responsibilities, and have a communications plan in the event of an
incident, whereas at Innovative institutions, the incident response plan is designed to
ensure recovery from disruption of services, assurance of data integrity, and recovery of
lost or corrupted data following a cybersecurity incident. The incident response process
also includes detailed actions and rule-based triggers for automated response.
Depending on the nature of an institution’s business, defined recovery time objectives
and baseline for recovery should be stated in the planning documentation.
Detection, Response, & Mitigation: Refers to the steps management takes to identify,
prioritize, respond to, and mitigate the effects of internal and external threats and
vulnerabilities. In an Innovative environment the organization is able to detect and block
zero-day attempts and inform management and the incident response team in real time.
Incident response teams should be able to trace a security incident through the entire
process tree to see how it occurred and create future remediation action plans around
the vulnerability that was exploited.
Escalation & Reporting: Ensures key stakeholders are informed about the impact of
cyber incidents, and that regulators, law enforcement, and customers are notified as
required. A mechanism should be in place to ensure real time notification of incidents to
management and essential employees through multiple communication channels, with
tracking and verification of receipt. Having a real time alert and reporting solution will
allow for management to escalate critical events in a timely manner and possibly avoid
lengthy public news articles and press from occurring if mitigated appropriately.

11/24/2023 46
Appendix G: Criteria Development Materials Used
Federal Financial Institutions Examination Council (FFIEC) – Cyber Assessment Tool
(CAT) https://www.ffiec.gov/cyberassessmenttool.htm
ISO/IEC 27001 – Information technology – Security Techniques – Information Security
Management Systems – Requirements (Available to purchase at ANSI Webstore
https://webstore.ansi.org )
New York State Department of Financial Services 23 NYCRR 500 - Cybersecurity
Requirements for Financial Services Companies
https://www.dfs.ny.gov/industry_guidance/cybersecurity
National Association of Insurance Commissions (NAIC) Insurance Data Security Model
Law https://content.naic.org/sites/default/files/inline-files/MDL-668.pdf
NIST Special Publication 800-53 Revision 5 - Security and Privacy Controls for
Information Systems and Organizations
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

FFIEC Cybersecurity Assessment Report CAR Example .pdf

More Related Content

What's hot

Similar to FFIEC Cybersecurity Assessment Report CAR Example .pdf

Recently uploaded

FFIEC Cybersecurity Assessment Report CAR Example .pdf