6 Common Misunderstandings of the FFIEC Cybersecurity Assessment Tool

Since its introduction three years ago, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) has been the focus of much attention within the financial services industry. The CAT can help financial institutions identify their risks such as gaps in IT security and determine their cybersecurity preparedness to determine areas for improvement.

While many financial institutions have completed the CAT, there are still some widespread misunderstandings about the assessment. Six of the top misconceptions we have seen include:

Filling out the CAT improves an institution’s position against a cyber-threat

While completing the CAT helps identify areas of risk and levels of cybersecurity maturity, after completing the assessment, the institution’s risks must then be compared to its maturity level. Thus, financial institutions must identify areas where risks are not mitigated appropriately. If your institution filled out the assessment but has not done a gap analysis between your risks and your maturity, you are not done.

Additionally, if you have filled out the assessment and have not yet changed your security posture based on the results, you are not done.

Filling out the Cybersecurity Assessment Tool is all that is required

Many institutions have stopped working on the CAT after they’ve had their exam because examiners have only required them to complete the assessment. Simply filling out the CAT does not come close to addressing the FFIEC guidance or the full intent of the CAT. If your institution has stopped here, there is much more to do to enhance your cybersecurity procedures. If you do not review your institution’s security gaps and improve compliance processes, you will continue to lag behind.

The CAT doesn’t have to be completed anytime soon

At this point, many examiners are simply asking most financial institutions if they have filled out the CAT. If your institution has not yet done so, you should consider completing it soon to ensure you institution meets examiner expectations. When you are finished, it is important to establish a timeline and action plan outlining how you will incorporate your responses and assessment findings into your cybersecurity plan.

The CAT can be completed by just one person

Completing the CAT is not a one person job because it requires input from a variety of departments within the institution. The 59-page assessment spans several job roles making this a cumbersome task for one individual to complete and can result in inaccurate responses. It is recommended that key personnel in all departments fill out the assessment together to ensure an accurate view of the institution.

I completed the CAT and passed my exam so I don’t need to do anything in regards to the CAT for my next exam

Time after time, examiners write up institutions in areas that they have previously done well on in past examinations. The bad news is that once regulators write up a bank for one infraction, they typically examine other areas more closely leading to additional findings. Don’t just assume because your examiner was content with your assessment in the past that there aren’t other areas where you can improve. Fill out the assessment; review your inherent risk profile and cybersecurity maturity level; and look for ways you can enhance your compliance processes to increase your institution’s cybersecurity preparedness.

The CAT is not a requirement

When the CAT was initially released, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. While it is true you do not have to use the CAT, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. If your assessment is different than what the examiner expects, it could lead to more questions or more scrutiny. While a better way to assess cybersecurity might exist, going down your own beaten path with assessing your risks is a little like taking a small row boat out into uncharted water.

The CAT is now the baseline many auditors or examiners are using, so completing it enables financial institutions to address cybersecurity risks and meet examiner expectations with confidence. However, while it is important to complete the CAT, the key is in making those results actionable and remedying any issues that arise.

Safe Systems developed the Cybersecurity RADAR solution, which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. Safe Systems also provides a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.