IT Risk Assessment

Most credit unions know that IT risk assessments are required elements of regulatory compliance. While this is true, IT risk assessments can provide a great deal of business value by helping credit unions to improve their security posture over time. Let’s first explore the regulatory perspective.

The FFIEC Information Technology Examiner’s Handbook specifies that conducting an IT risk assessment is a requirement for all banks and credit unions. While the handbook does not determine a precise process for performing this assessment, this guide, and supplemental publications from NCUA and FDIC, do point to aspects that must be covered within the assessment.

What Is an IT Risk Assessment? 

The FFIEC handbook defines a risk assessment as “a prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.”

This is where many of the in-house risk assessments we’ve seen over the years fall short. Often, an institution will download a template from the internet, enter basic information about their IT systems, and the likelihood of various threats to those systems from their perspective.

While basic templates are reasonable starts, they do not meet the intention of the risk assessment process. Per the NCUA IT Security Compliance Guide, the intent is to “continually review their current policies and procedures to make certain they are adequate to safeguard member information and member information systems, ensure the proper disposal of member information, and include in their written information security program both their review and their findings.”

The FFIEC Examiner’s Handbook specifies the need for information security that promotes the commonly accepted objectives of:

  • Confidentiality
  • Integrity
  • Availability of information

The NCUA and other examination agencies also call out the need to examine security guideline risks beyond what we commonly think of as IT risks, such as risks to records maintained in paper form. Most in-house IT staff at SMB banks and credit unions do not have the time or experience to go past a basic list of systems, potential threats, and the controls they have in place. They generally simply don’t have the bandwidth to delve deeply enough to satisfy the intent of a full IT risk assessment.

Here to Help – SilverSky’s IT Risk Assessment Approach

The gap between what most internal IT staff’s understanding of a risk assessment and the expectations of federal examiners is a great opportunity for SilverSky to help. Over many years of direct work with SMB banks and credit unions, SilverSky has developed a comprehensive risk assessment program that:

  1. Identifies information assets that contain or process customer information. This includes hardware like servers and NAS, workstations, systems (tellers servers, mail service, imaging systems, etc.) and physical items such as loan documents, signature cards, and backup tapes.
  2. Rates the sensitivity of the information on the listed devices in relation to confidentiality, integrity, and availability.
  3. Identifies and rates the likelihood of various internal and external threats to the assets.
  4. Identifies the technical and administrative control in place for issues such as antivirus, firewall, formal scheduled review of audit logs, and more.
  5. Produces a residual risk score for all assets.
  6. Make suggestions for additional controls or actions for items with high residual risk.

At the end of the assessment, the customer is provided both a detailed report containing lists of threats and controls for IT staff and an executive report with colored bar graphs representing residual risk levels and simply stated recommendations.

Our risk assessment process goes well beyond simply satisfying GLBA compliance for examiners. Rather, it becomes a tool for internal staff to see areas for improvement in their intuition’s risk posture and is a great point of entry for SilverSky to offer assistance to meet identified improvement goals through our managed and consulting services.

Finally, it should be noted that an IT risk assessment should not be considered static. It is an ongoing process to identify new risks as they arise and to assess the risk status of systems as they are added.

If you need help, SilverSky is here for you. Don’t hesitate to reach out to us at 1-800-234-2175 or

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.


Affordable defenses for a sector under attack.


SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.


Automated Cybersecurity Examination Tool


Health Insurance Portability and Accountability Act


Payment Card Industry Data Security Standard


Federal Financial Institutions Examination Council


Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.


Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.


Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.