Frequently Asked Questions

Q. If I complete the process and download the reports, can I later go back into the program and update information and then download a new report?
A. Yes. With your user name and password you will be able to access your information at any time.

Q. I also would like another person here at the bank to go through the questions as well; can they log in and review my answers, make changes and then download a report based on their answers?
A. At this this time, multi-user functionality for a single institution is not offered in this free Cyber-RISK Cybersecurity Assessment Tool.

Q. Is there a way to get a nice printout of the selections made in the Inherent Risk Model?
A. Yes. You can now download all of your responses for a finalized report by clicking the download link under the "Your Responses" column in the reports tab.

Q. What does the Finalize button do?
A. The “Finalize” button essentially creates a “save point” for your Cybersecurity Assessment, allowing you to compile reports of your Cybersecurity Assessment Report from different time-periods. Your Cyber-RISK data and answers remain unchanged. If you have any issues with the “Finalize” process in Cyber-RISK, please contact the Help Desk at

Q. My Inherent Risk level is “Least”, my Cybersecurity Maturity level is “Baseline” and “Evolving,” the “Baseline” box is selected; does this mean that I do not have to address items in the “Evolving” maturity level?
A. No. The checkbox in the “Baseline” means that you are doing the minimum for your Inherent Risk level.

Q: What if our bank meets all but one of the multiple items listed in an Inherent Risk category (the ATM Inherent Risk item is a frequent question), should I still select that Inherent Risk category?
A: If your institution falls in-between answers for a particular question (I.E. your institution meets requirements for a "Minimal" item, but also meets some of the requirements for a "Moderate" item), the FFIEC would suggest that you select the Inherent Risk category with the higher inherent risk. However, it also that it’s not intended to be rigid but rather instructive to assist with assessing the appropriate risk level.

Q. I am entering a lot of information in here about my institution. How is my information secured?
A. The website and database are housed in an off-site data center located in the North Central US. The site is secured with an Extended Validation SSL Security Certificate. All data between the database, website, and user is encrypted in transit. SBS has performed a penetration test against the site with no critical, high, or medium vulnerabilities identified. The data is held in a data center and operating environment that complies with the following security certifications:

  • PCI DSS Level 1
  • SOC1
  • SOC2
  • FIPS 140-2
  • CSA
  • FedRAMP
  • ISO 27001
  • ISO/IEC 27018
  • ISO 27002:2013
  • CJIS
  • G-Cloud
  • IRAP (Aus)
  • CDSA
  • EU Model Clauses
  • FDA 21 CFR Part 11
  • MLPS
  • MTCS

Where can I find additional information?
Additional information can be found at the following link :