A Quick Look at FFIEC’s Assessment Tool
The Federal Financial Institution Examination Council (FFIEC) recently issued the Cybersecurity Assessment Tool (CAT). For U.S. financial institutions that fall under the FFIEC’s purview, this is a framework that can facilitate discussions about an organization’s cybersecurity maturity. As its name suggests, the CAT is a measurement of overall cybersecurity preparedness that the FFIEC recommends as a standard for financial institutions to use when assessing risk.
The CAT is a robust and detailed survey which breaks the assessment process down into two key parts. (For SecurityScorecard users, getting the information required to respond to many of these questions can be expedited by looking at factor-level grades and issue types in your Scorecard.)
Part One is used to help management evaluate the organization’s inherent risk profile based on five risk areas:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Part Two is used to assess the organization’s maturity in five cybersecurity domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
Each level of maturity within each domain includes a detailed description the behaviors, practices, and processes required of the financial institution to achieve that level of maturity. Ultimately, this draws out a potential roadmap for organizations looking to improve their security posture.
Using the CAT may allow financial institutions to gain a deeper understanding of their risk profile and what risk category they fall into, how mature their cybersecurity policies and procedures are, and (most importantly) if their policies and procedures are appropriate given their risk profile. FFIEC recommends performing cybersecurity assessments at least once a year or as often as any new information on cyber threats is shared or if a new electronic service is added to the institutions workflow.
Lastly, if a financial institution opts out of utilizing the CAT, FFIEC still recommends that organizations select another industry standard framework to help identify risk profile.
For SecurityScorecard users, you can find our available compliance frameworks simply by clicking the “Compliance tab.” By selecting a framework, your Scorecard findings are mapped to the framework of your choice.