The CAT Isn’t Mandatory, So Why Should We Complete It?

Due to the increasing volume and sophistication of cyber threats financial institutions are facing, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness with a repeatable and measurable process. The CAT helps financial institutions weigh specific risks such as gaps in IT security, versus controls or solutions aimed to prevent, detect and respond to these threats and determine areas for improvement. Each institution is then responsible for identifying its own risk appetite and establishing its desired level of maturity. Using the CAT, financial institutions can understand where their security practices fall short and how to effectively address those gaps.

When the CAT was initially released in 2015, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. However, regulatory agencies including the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) have announced plans to incorporate the assessment into their examination procedures. Today, many examiners are using the tool to assess an institution’s cybersecurity readiness and have already begun to issue citations to financial institutions that have lapses or are not meeting expectations.

Even though the CAT is voluntary, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. Completing the CAT is a good way to prepare for audits since the guidelines provide community banks and credit unions with detailed information on the federal government’s expectations for cybersecurity preparedness. The CAT enables financial institutions to identify vulnerabilities, fill in security gaps, and demonstrate a stronger security posture before the examination begins.

In addition to meeting examiner expectations, completing the CAT benefits financial institutions by helping them:

• Determine whether controls are properly addressing their identified risks
• Identify cyber risk factors and assessing cybersecurity preparedness
• Make more informed risk management decisions
• Demonstrate the institution’s commitment to cybersecurity and
• Prepare the organization for an upcoming audit.

When using the CAT correctly, it can provide a cost-effective methodology to help improve security, instill client trust, and avoid losses from a breach. For it to provide the greatest positive impact it should be completed periodically on an enterprise-wide basis, as well as when significant operational and technical changes occur. Completing the CAT helps community banks and credit unions understand the key risks they face and what controls they need in place to protect the institution’s data, leading to increased knowledge of regulatory expectations and a stronger, more compliant cybersecurity program.

For more information, please download our complimentary white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.