Beyond the FFIEC CAT: Evolving Strategies for Cyber Resilience in 2024
As cyberattacks continue to increase in frequency and impact, incorporating a dynamic cybersecurity strategy and building resilience to cyber-attacks is an important objective for all Financial Institutions (FIs). As a part of our country’s critical infrastructure, banks and credit unions are held to high regulatory standards for keeping NPI and financial transactions secure. This is why in 2015 the Federal Financial Institutions Examination Council (FFIEC) developed a Cybersecurity Assessment Tool (CAT) with FIs in mind. For the past nine years, many FIs in the United States have used the CAT annually to identify changes in inherent risk that may lead to cyber vulnerabilities. They also use it to assess both control maturity and cybersecurity readiness over time. The CAT continues to be an acceptable cyber preparedness tool, but many FI’s are wondering, “is the CAT enough?”
Cybersecurity Resource Guide
In 2018, the FFIEC issued a Cybersecurity Resource Guide to expand acceptance of other cybersecurity frameworks and resources, including websites, tools, and methodologies like NIST Cybersecurity Framework 1.0. Designed to strengthen resiliency, it was updated in 2022 to address changes in the cyber landscape and emerging threats such as ransomware. One of the resources in the updated guide is the Ransomware Self-Assessment Tool (RSAT). The Bankers Electronic Crimes Task Force, State Bank Regulators, and the United States Secret Service collaboratively developed the RSAT. This question-based tool assists FIs in evaluating their efforts to mitigate specific ransomware risks and identify security gaps.
The overarching message of the FFIEC’s Cybersecurity Resource Guide is that FI’s should not “over-rely” on a single methodology for measuring control maturity and cybersecurity preparedness but should integrate a dynamic cyber security strategy for long-term resilience.
NIST Cybersecurity Framework (CSF) 2.0
In February 2024 another update was released, NIST CSF 2.0, which underscores the importance of a solid governance structure within an organization’s cybersecurity strategy. The release includes a sixth function, ‘Govern,’ which highlights the importance of developing well-defined internal management roles and clear policies and procedures to assess and prioritize risk. This function incorporates the increased focus from regulatory agencies on third-party risk management and provides implementation examples.
The emphasis on governance is a reminder of the ongoing challenge that many financial institutions, particularly smaller community banks and credit unions, face with dedicating resources to the role of the Information Security Officer. The updated CSF presents an opportunity for institutions of all sizes to re-assess inherent cyber risks and consider internal infrastructure changes that could impact cyber resiliency. This type of re-evaluation is critical especially when significant roles in IT or information security management frequently change due to retirement, leave, or other job shifts. By emphasizing governance and risk management policies, CSF 2.0 provides banks and credit unions a framework to evaluate their cybersecurity preparedness, while also providing a strategic edge in the continuous fight against cyber threats.
As financial institutions continue efforts to combat the growing number and sophistication of cyberattacks, a renewed cybersecurity strategy based on the use of the FFIEC CAT along with other enhanced resources such as the RSAT 2.0 and NIST CSF 2.0 could make significant strides to improve cyber resiliency.
For more information on these and other critical factors of cybersecurity management, download and watch our recent webinar, Protect, Detect, and Respond: Prioritizing Cybersecurity Management in 2024.