Product News

Find out about our new product features, the latest platform changes, and discover company announcements before anyone else.

Risk Management

Stay up to date on third-party risk management best practices and techniques, and learn about new regulations for third party risk.

Security Research

Keep up with research around the biggest data breaches, malware infections, IoT risks and all the latest news in cybersecurity.

A Quick Look at FFIEC’s Assessment Tool

The Federal Financial Institution Examination Council (FFIEC) recently issued the Cybersecurity Assessment Tool (CAT). For U.S. financial institutions that fall under the FFIEC’s purview, this is a framework that can facilitate discussions about an organization’s cybersecurity maturity. As its name suggests, the CAT is a measurement of overall cybersecurity preparedness that the FFIEC recommends as a standard for financial institutions to use when assessing risk.

CAT Components

The CAT is a robust and detailed survey which breaks the assessment process down into two key parts. (For SecurityScorecard users, getting the information required to respond to many of these questions can be expedited by looking at factor-level grades and issue types in your Scorecard.)


Part One is used to help management evaluate the organization’s inherent risk profile based on five risk areas:


  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats


Part Two is used to assess the organization’s maturity in five cybersecurity domains:


  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

Each level of maturity within each domain includes a detailed description the behaviors, practices, and processes required of the financial institution to achieve that level of maturity. Ultimately, this draws out a potential roadmap for organizations looking to improve their security posture.


Using the CAT may allow financial institutions to gain a deeper understanding of their risk profile and what risk category they fall into, how mature their cybersecurity policies and procedures are, and (most importantly) if their policies and procedures are appropriate given their risk profile. FFIEC recommends performing cybersecurity assessments at least once a year or as often as any new information on cyber threats is shared or if a new electronic service is added to the institutions workflow.


Lastly, if a financial institution opts out of utilizing the CAT, FFIEC still recommends that organizations select another industry standard framework to help identify risk profile.


For SecurityScorecard users, you can find our available compliance frameworks simply by clicking the “Compliance tab.” By selecting a framework, your Scorecard findings are mapped to the framework of your choice.




Security Roundup: Labor Day Edition
SecurityScorecard on the Principles for Fair & Accurate Security Ratings: A Focus on Accuracy and Validation