What’s Next After Completing the FFIEC’s CAT? Take Action on the Results

In response to the increased occurrence of cybersecurity breaches and attacks, the Federal Financial Institution Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness. Since its introduction, the CAT has become the baseline that many examiners are now using to evaluate cybersecurity, so completing it positions financial institutions to better address risks and meet examiner expectations with greater confidence.
While financial institutions recognize that completing the CAT is an important part of maintaining compliance, in truth this represents just the first step that financial institutions should take.

Phases of the CAT Enforcement

Phase one of the CAT roll out was largely focused on examiners verifying that financial institutions were aware of the CAT and encouraging them to complete it. While this varied by institution, state, and governing body, the first year offered the most leeway for financial institutions.

Most examiners are operating in phase two of the CAT enforcement process today. In this phase, many financial institutions’ primary question during their exam was, “have you completed the CAT?” With cyber risks becoming a more common and pervasive problem, this cannot be the long-term expectation for examiners in regards to financial institutions. So while most institutions can answer “yes” during phase two, the examination process will eventually have to evolve to require financial institutions to do more.

Phase three of the CAT requires regulators to ensure that financial institutions are actively taking steps to respond to the CAT findings. Financial institutions that are not remedying cybersecurity lapses or vulnerabilities discovered in the CAT will likely be cited and potentially receive poor compliance ratings. There is pressure on regulators to take this step as they can be called before Congress when the next banking cyberattack happens to explain why enforcement has not been working. So moving forward, financial institutions will need to not only complete the CAT, but clearly demonstrate the steps they have taken in response to their CAT findings.

Next Steps After Completing the CAT

The good news is that the majority of financial institutions have successfully completed the CAT, so the key is in making those results actionable and taking steps to remedy any issues that arise.

The challenge is that completing the CAT and then fixing all uncovered vulnerabilities and gaps is a daunting process. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in their cybersecurity processes and ensure that all gaps and vulnerabilities are properly addressed, leading to a better cybersecurity posture and enhanced compliance ratings. Safe Systems helps financial institutions manage their cybersecurity program in a more time-efficient manner and ensure they meet their compliance requirements.

Safe Systems developed its Cybersecurity RADAR solution which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. This is paired with a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.