Tag: ECAT

As cyber-attacks become increasingly more sophisticated, community banks struggle to ensure their institutions are adequately protected and in compliance with regulatory requirements and expectations. Regulators are heavily scrutinizing bank processes to verify that these institutions can effectively safeguard sensitive financial information. The Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT), which was released in June 2015 and is designed to ensure banks are prepared in the event of a cybersecurity attack, is not a requirement to complete but it is what regulators are using to examine institutions and determine their level of cybersecurity preparedness.

This has led many banks to complete the CAT and examine their cybersecurity preparedness. Although the assessment is beneficial, it can also be a time-consuming task to understand and successfully manage. As a result, bankers are seeking a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environments.

One senior vice president of a national bank, found himself in this exact situation. He was manually completing the CAT and pulling reports but quickly found this process to be quite challenging and cumbersome. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and examiner expectations.

The CAT Application

The bank began looking for a more user friendly and repeatable solution that captured the process of filling out the CAT in an application and provided compliance guidance about how to improve its cybersecurity processes. As a long-time customer of Safe Systems, the bank ultimately decided to implement its cybersecurity service, Cybersecurity RADAR, that combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment.

“When I learned that Safe Systems offered a service that included an application along with compliance consulting to help us improve our cybersecurity posture, I knew it would be the right solution for our bank,” said the senior vice president. “Safe Systems’ team of experts guided us through the installation process and provided us with the knowledge and support to ensure a more streamlined assessment.”

Improved Exam Ratings

For this particular bank, Cybersecurity RADAR streamlined the process of filling out the CAT, generated detailed reports, and successfully prepared the bank for exams. With the ECAT application, the bank significantly reduced the amount of time spent completing the CAT from weeks to less than 2 hours.

“The reports generated in the Safe Systems ECAT application have been extremely beneficial to us,” said the senior vice president. “In one of our last exams, an examiner even commented on how user-friendly, complete and easy to understand the reports were. In the past, gathering all the reports and manually tracking the data took us weeks to complete, but now we are able to prepare for exams in a matter of hours.”

The Cybersecurity RADAR solution Safe Systems offers can be a great value to any bank wanting to improve operational efficiencies, strengthen cybersecurity and increase their confidence with compliance and security.

In response to the increased occurrence of cybersecurity breaches and attacks, the Federal Financial Institution Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness. Since its introduction, the CAT has become the baseline that many examiners are now using to evaluate cybersecurity, so completing it positions financial institutions to better address risks and meet examiner expectations with greater confidence.
While financial institutions recognize that completing the CAT is an important part of maintaining compliance, in truth this represents just the first step that financial institutions should take.

Phases of the CAT Enforcement

Phase one of the CAT roll out was largely focused on examiners verifying that financial institutions were aware of the CAT and encouraging them to complete it. While this varied by institution, state, and governing body, the first year offered the most leeway for financial institutions.

Most examiners are operating in phase two of the CAT enforcement process today. In this phase, many financial institutions’ primary question during their exam was, “have you completed the CAT?” With cyber risks becoming a more common and pervasive problem, this cannot be the long-term expectation for examiners in regards to financial institutions. So while most institutions can answer “yes” during phase two, the examination process will eventually have to evolve to require financial institutions to do more.

Phase three of the CAT requires regulators to ensure that financial institutions are actively taking steps to respond to the CAT findings. Financial institutions that are not remedying cybersecurity lapses or vulnerabilities discovered in the CAT will likely be cited and potentially receive poor compliance ratings. There is pressure on regulators to take this step as they can be called before Congress when the next banking cyberattack happens to explain why enforcement has not been working. So moving forward, financial institutions will need to not only complete the CAT, but clearly demonstrate the steps they have taken in response to their CAT findings.

Next Steps After Completing the CAT

The good news is that the majority of financial institutions have successfully completed the CAT, so the key is in making those results actionable and taking steps to remedy any issues that arise.

The challenge is that completing the CAT and then fixing all uncovered vulnerabilities and gaps is a daunting process. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in their cybersecurity processes and ensure that all gaps and vulnerabilities are properly addressed, leading to a better cybersecurity posture and enhanced compliance ratings. Safe Systems helps financial institutions manage their cybersecurity program in a more time-efficient manner and ensure they meet their compliance requirements.

Safe Systems developed its Cybersecurity RADAR solution which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. This is paired with a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Since its introduction three years ago, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) has been the focus of much attention within the financial services industry. The CAT can help financial institutions identify their risks such as gaps in IT security and determine their cybersecurity preparedness to determine areas for improvement.

While many financial institutions have completed the CAT, there are still some widespread misunderstandings about the assessment. Six of the top misconceptions we have seen include:

Filling out the CAT improves an institution’s position against a cyber-threat

While completing the CAT helps identify areas of risk and levels of cybersecurity maturity, after completing the assessment, the institution’s risks must then be compared to its maturity level. Thus, financial institutions must identify areas where risks are not mitigated appropriately. If your institution filled out the assessment but has not done a gap analysis between your risks and your maturity, you are not done.

Additionally, if you have filled out the assessment and have not yet changed your security posture based on the results, you are not done.

Filling out the Cybersecurity Assessment Tool is all that is required

Many institutions have stopped working on the CAT after they’ve had their exam because examiners have only required them to complete the assessment. Simply filling out the CAT does not come close to addressing the FFIEC guidance or the full intent of the CAT. If your institution has stopped here, there is much more to do to enhance your cybersecurity procedures. If you do not review your institution’s security gaps and improve compliance processes, you will continue to lag behind.

The CAT doesn’t have to be completed anytime soon

At this point, many examiners are simply asking most financial institutions if they have filled out the CAT. If your institution has not yet done so, you should consider completing it soon to ensure you institution meets examiner expectations. When you are finished, it is important to establish a timeline and action plan outlining how you will incorporate your responses and assessment findings into your cybersecurity plan.

The CAT can be completed by just one person

Completing the CAT is not a one person job because it requires input from a variety of departments within the institution. The 59-page assessment spans several job roles making this a cumbersome task for one individual to complete and can result in inaccurate responses. It is recommended that key personnel in all departments fill out the assessment together to ensure an accurate view of the institution.

I completed the CAT and passed my exam so I don’t need to do anything in regards to the CAT for my next exam

Time after time, examiners write up institutions in areas that they have previously done well on in past examinations. The bad news is that once regulators write up a bank for one infraction, they typically examine other areas more closely leading to additional findings. Don’t just assume because your examiner was content with your assessment in the past that there aren’t other areas where you can improve. Fill out the assessment; review your inherent risk profile and cybersecurity maturity level; and look for ways you can enhance your compliance processes to increase your institution’s cybersecurity preparedness.

The CAT is not a requirement

When the CAT was initially released, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. While it is true you do not have to use the CAT, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. If your assessment is different than what the examiner expects, it could lead to more questions or more scrutiny. While a better way to assess cybersecurity might exist, going down your own beaten path with assessing your risks is a little like taking a small row boat out into uncharted water.

The CAT is now the baseline many auditors or examiners are using, so completing it enables financial institutions to address cybersecurity risks and meet examiner expectations with confidence. However, while it is important to complete the CAT, the key is in making those results actionable and remedying any issues that arise.

Safe Systems developed the Cybersecurity RADAR solution, which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. Safe Systems also provides a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

With the heightened risk of cybersecurity attacks for financial institutions, many community banks and credit unions are completing the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) to assess their cybersecurity preparedness, determine their next steps to strengthen their maturity and better meet examiner expectations. The assessment consists of two parts, Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile assesses the risk posed by Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Then, Management evaluates the Cybersecurity Maturity level for five domains.

According the FFIEC’s Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors, “Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness.” Declarative statements within each domain are assessed on maturity levels ranging from baseline to innovative. Financial institutions determine “which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.”

Since the introduction of the CAT in 2015, we have been assisting community banks and credit unions with completing this process. Based on our experience, which consists of more than 100 reviews of the CAT to date, we have identified four declarative statements that community financial institutions are struggling to complete:

Domain 4 – External Dependency Management – Connections

Data flow diagrams are in place and document information flow to external parties.”

According the FFIEC’s Information Security Handbook, “these diagrams should identify hardware, software, and network components, internal and external connections, and types of information passed between systems.” Regulators are looking for financial institutions to demonstrate solid understanding of where data is going and what type of data is being transmitted to third-parties.

Domain 1 – Cyber Risk Management and Oversight – Training and Culture

“Customer awareness materials are readily available” (e.g., DHS’ Cybersecurity Awareness Month materials)

Customer awareness materials, according to the FFIEC Information Security Handbook, are used to “increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.” These materials should “consider both retail and commercial account holders.” It is important for community banks and credit unions to communicate effective risk management strategies to their customers. The declarative statement references the US Department of Homeland Security’s website. The Stop.Think.Connect Toolkit has resources Financial Institutions can utilize to provide awareness material to customers.



Domain 3 – Cybersecurity Controls – Preventative Controls

“Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise.”

DNSSEC is a technology developed to digitally ‘sign’ data to ensure it is valid and from a trusted source. By enabling this, an institution would be less susceptible to DNS spoofing attacks. However based on the experience of Safe Systems engineers, DNSSEC may cause issues throughout an organization’s systems. There are other technical tools financial institutions can implement that will enable them to meet the spirit of the statement without deploying troublesome tactics.

Domain 1 – Cyber Risk Management and Oversight – Oversight

“The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.”

Regulators are looking to ensure financial institutions have a cyber risk appetite statement in place that has been approved by the Board. In fact, risk appetite is mentioned more than 17 times in the CAT. Cyber risk appetite is an assessment of how much cybersecurity risk management is willing to accept to meet the goals and objectives of the institution’s strategic plan. To read more on how to develop a cyber risk appetite, visit the Compliance Guru Blog.

Financial institutions should review their current CAT responses, specifically the declarative statements in the Baseline maturity level that have been answered “No” or that they are struggling to complete to determine if there is a way to implement a compensating control. Adding in compensating controls may allow them to answer the question in the affirmative and ensure the institution is in compliance with regulatory requirements.

For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

The number of cyber-attacks directed at financial institutions of all sizes is continuing to grow and cybersecurity experts expect the trend toward increasingly sophisticated cyber-attacks to continue. Community banks and credit unions are prime targets for cyber criminals due to the sensitive data they house. As consumers and businesses continue to use electronic devices such as computers, tablets, and smartphones to perform financial transactions online, vulnerabilities continue to increase. A cyber breach can be devastating due to the costly ramifications, not to mention compromised customer confidence and reputational damage.

As a result of this heightened risk of cybersecurity attacks, regulators are heavily scrutinizing bank processes to verify that these institutions can effectively safeguard sensitive financial information. While not yet a requirement, the FFIEC’s Cybersecurity Assessment Tool (CAT) serves as the key guidance used to determine whether an institution is adequately prepared for a cybersecurity incident and in full compliance with federal regulations. In response, many banks and credit unions are now completing the assessment to assess their cybersecurity posture, determine their next steps to strengthen cybersecurity processes and better meet examiner expectations.

While completion of the assessment has proven itself beneficial, many financial institutions find the 100+ page assessment to be too cumbersome of a task to successfully manage and fully understand. As a result, they decide they need to find a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environment.

This was the case for Pembroke, N.C.-based Lumbee Guaranty Bank. To ensure his institution maintained compliance, Austin Maynor, Information Security Officer at Lumbee Guaranty Bank, manually filled out the CAT with the help of a spreadsheet, but quickly found this process to be an extremely time-consuming project to complete. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and where they needed to be in order to maintain compliance.

Streamlined CAT Completion Solution

As a long-time customer of Safe Systems, the bank decided to implement the Cybersecurity RADAR™ solution, a cybersecurity product that combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application. The solution allows staff to quickly generate reports, document notes and save examination results to review each year.

For Lumbee Guaranty Bank, Cybersecurity RADAR streamlined the process of filling out the CAT and helped the bank improve its cybersecurity processes. With the automated application, Lumbee Guaranty Bank significantly reduced the amount of time spent completing the CAT from days to less than 4 hours. In addition, Safe Systems’ evaluation of the bank’s responses helped clearly illustrate to the bank where they were in regards to compliance and baseline expectations.

“The Cybersecurity RADAR solution has been a great addition to our bank, helping us gain meaningful operational efficiencies while continuing to grow and strengthen our cybersecurity program. We are grateful to have a true partner like Safe Systems helping us navigate the latest compliance guidelines and effectively streamline our most important processes.”

For more information, download our cybersecurity case study, “Lumbee Guaranty Bank Streamlines Cybersecurity Processes.”

Due to the increasing volume and sophistication of cyber threats financial institutions are facing, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness with a repeatable and measurable process. The CAT helps financial institutions weigh specific risks such as gaps in IT security, versus controls or solutions aimed to prevent, detect and respond to these threats and determine areas for improvement. Each institution is then responsible for identifying its own risk appetite and establishing its desired level of maturity. Using the CAT, financial institutions can understand where their security practices fall short and how to effectively address those gaps.

When the CAT was initially released in 2015, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. However, regulatory agencies including the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) have announced plans to incorporate the assessment into their examination procedures. Today, many examiners are using the tool to assess an institution’s cybersecurity readiness and have already begun to issue citations to financial institutions that have lapses or are not meeting expectations.

Even though the CAT is voluntary, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. Completing the CAT is a good way to prepare for audits since the guidelines provide community banks and credit unions with detailed information on the federal government’s expectations for cybersecurity preparedness. The CAT enables financial institutions to identify vulnerabilities, fill in security gaps, and demonstrate a stronger security posture before the examination begins.

In addition to meeting examiner expectations, completing the CAT benefits financial institutions by helping them:

• Determine whether controls are properly addressing their identified risks
• Identify cyber risk factors and assessing cybersecurity preparedness
• Make more informed risk management decisions
• Demonstrate the institution’s commitment to cybersecurity and
• Prepare the organization for an upcoming audit.

When using the CAT correctly, it can provide a cost-effective methodology to help improve security, instill client trust, and avoid losses from a breach. For it to provide the greatest positive impact it should be completed periodically on an enterprise-wide basis, as well as when significant operational and technical changes occur. Completing the CAT helps community banks and credit unions understand the key risks they face and what controls they need in place to protect the institution’s data, leading to increased knowledge of regulatory expectations and a stronger, more compliant cybersecurity program.

For more information, please download our complimentary white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.