The Federal Financial Institutions Examination Council (FFIEC) published the Cybersecurity Assessment Tool (CAT) in June 2015 to help financial institutions better identify and evaluate their cybersecurity risk awareness and readiness. The tool consists of a comprehensive set of questions to evaluate the cybersecurity risk of a financial Institution and is designed to encourage consistent analysis, evaluation, and examination of cybersecurity risks for financial institutions.
The CAT essentially consists of two parts, 1) Inherent Risk Profile and 2) Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before security measures have been implemented. It is a stage approach in which, once the Inherent Risk Profile has been determined, financial institutions then focus their attention on the Cybersecurity Maturity section.
Successful completion of the CAT for Inherent Risk and Cybersecurity Maturity provides financial institutions with practical insight in two specific areas:
- Risk Grade
Completion of the Inherent Risk Profile gives financial institutions a risk grade in each potentially vulnerable security area, such as payments, teller processes and online banking operations. This gives the financial institution insight into how examiners are likely to see their relative risk exposure.
- Gap Analysis
Completing the Cybersecurity Maturity section helps financial institutions form a gap analysis to better identify missing controls and process. To increase the level of cybersecurity maturity, financial institutions should continually implement changes and monitor their progress, and the gap analysis is the first step in this process.
The CAT also enables financial institutions to review their Inherent Risk Profile in relation to their Cybersecurity Maturity results, which will indicate if they are aligned. As one might expect, as inherent risk rises, an institution’s maturity level should also increase. However, an institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change, making it necessary for institutions to complete the CAT periodically or when making adjustments to their organizations.
It is important to note that while there are online tools available to complete the CAT, the key is in making those results actionable, which may require third-party expertise. That is why Safe Systems developed the Cybersecurity RADAR solution which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. Safe Systems also provides a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.
The CAT is now the baseline many auditors are using, so completing it (and more importantly, understanding the results) enables financial institutions to address cybersecurity risks and meet examiner expectations with confidence. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in its CAT assessment reviews and reporting, leading to a better understanding of regulatory expectations to help enhance their cybersecurity posture. Safe Systems can help financial institutions manage their cybersecurity program in a more time-efficient manner to ensure they meet their compliance needs.
For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.