Your Cyber Risk Readiness IQ

Starting

On the ground floor, with significant room for improvement.

Developing

Average performer, with basic capabilities and much room for improvement.

Optimizing

Above-average performer, with solid capabilities and some room for improvement.

Leading

Among the top performers, with established best practices and limited room for improvement.

See how your
financial institution compares.

The risk of a cyberattack on your financial institution is significant. An attack or data breach could result in significant monetary loss, not to mention damaged financial performance, business continuity and community trust.

This easy-to-complete cyber risk benchmarking tool will pinpoint risk areas that are strong or lacking and make tangible recommendations for improvement.

START

Which statement best describes the level of change your institution will experience in the next 12-24 months due to internally-driven initiatives, such as technology changes, new products, opening branches, new employees, etc.?

Select one option:

We anticipate a significant amount of change coming from internal initiatives

We anticipate a good amount of change coming from internal initiatives

We anticipate a limited amount of change coming from internal initiatives

We anticipate almost no change coming from internal initiatives

How confident are you in your ability to identify risk and design controls to effectively mitigate those risks?

Select one option:

Very - we have robust risk assessments and strong systems of controls

Mostly - we have decent risk assessments and control design processes

Average - we recognize our risk assessments and control design processes need improvement

Not very confident

Do you have comprehensive access to real-time data, KPIs, and KRIs related to your information security and cybersecurity programs?

Select one option:

Yes, we have good access, and the information supports decision making

We have sufficient access for our needs, with some restrictions

Not currently but we plan to improve monitoring and reporting on KPIs/KRIs

No access and no plans to improve

To what extent are governance and compliance activities automated?

Select one option:

Fully automated

Mostly automated (~50%)

Partly automated (less than ~50%)

Currently only a few or no automated workflows

Select the most accurate statement:

Select one option:

Our examiners have no criticism of our current program

Our examiners have verbally identified areas that need improvement

Our examiners recommended we mature our program in writing

We are under a MRA or Enforcement Action related to our program

Which best describes your cybersecurity talent?

Select one option:

Mostly outsourced with limited internal expertise

Mostly outsourced with some internal expertise

Internally staffed with moderately experienced staff or short-tenured staff

Internally staffed with highly experienced or long-tenured staff

Do you feel like you are adequately managing information security and cyber risks?

Select one option:

Yes, we have an excellent program and do a good job staying on top of new and emerging risks

Mostly, we have a solid program but staying on top of new and emerging risks is difficult

Kinda, but we recognize our program needs some work

Not even close

Does your institution have strategic objectives or growth initiatives in flight that impact your information security or cyber risk profile?

Select one option:

Yes, multiple strategic objectives will increase risk

Yes, at least one will increase risk

Yes, but the focus is on better managing or decreasing risk

None of our strategic or growth objectives will impact our cyber or information security risk profile

To what extent do you use technology such as SIEM, IDS/IPS, EDR, etc?

Select one option:

Optimal use - mostly technology based with humans monitoring alerts and reporting

Moderate use - have some technology in place but could benefit from additional tools

Low use - basic technology in place but mostly manual

No or almost no use of security technology

Which best describes your process for planning and implementing improvements to your program or security posture?

Select one option:

We conduct a thorough risk assessment prior to planning

We leverage consultants

Our changes are mostly reactive

We leverage peer groups, industry associations, external trainings, etc.

How likely are you to stop cyber fraud?

Select one option:

Very likely - we have a monitoring system designed specifically for detecting and stopping cyber fraud

Likely - we depend on our security operations to identify potential cyber fraud but the program isn't designed specifically for fraud

Low likelihood - we use a transaction monitoring fraud tool and haven't really considered what we're missing on the cyber side

Zero likelihood - we have nothing in place that would identify or stop fraud

How confident are you in your ability to stay informed on new and emerging cyber fraud threats?

Select one option:

Very - we have internal expertise, and we leverage external resources

Mostly - we do better than most at staying informed but recognize the threat landscape changes quickly

Average - staying up to date is a challenge, and we often find ourselves being reactive instead of proactive

Not confident

I am a...

Select one option:

Bank

Credit Union

What is your bank/credit union’s asset size?

Select one option:

Less than $500 million

$501 million – $1 billion

$1.1 billion – $2 billion

$2.1 billion – $10 billion

$10.1 billion – $20 billion

More than $20 billion

Show results

Calculating

See how yourfinancial institution compares.

See how your
financial institution compares.