The Federal Financial Institutions Examination Council (FFIEC) recently released an updated version of its Cybersecurity Assessment Tool (CAT), which, according to FFIEC, is designed to help the financial institutions voluntarily using the tool to “identify their cyber risks and determine their cybersecurity preparedness.” We explore the changes to the CAT in this post.

The CAT was developed by FFIEC members to provide a “repeatable and measurable process for financial institutions to measure their cybersecurity preparedness.” Although use of the CAT is voluntary and organizations may select other frameworks or methods for identifying inherent risk and assessing cybersecurity posture, the CAT is an influential resource whose approach aligns with the FFIEC Information Technology Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The May 2017 update to the CAT includes two key changes:

  • First,the CAT now includes the option for financial institutions to include supplementary or complementary behaviors, practices, and processes in assessment responses.
  • And, second, the CAT incorporates changes to the FFIEC IT Handbook (updated September 2016), primarily in the form of updating the mapping of CAT to the IT Handbook (located in Appendix A).

The fundamental structure and content of the CAT remains the same and therefore supports the use of the CAT as a repeatable and measurable assessment process. The CAT continues to consist of two parts: (1) Inherent Risk Profile, which identifies an institutions’ inherent risk before the implementation of controls; and (2) Cybersecurity Maturity, which evaluates existing cybersecurity controls and practices across the domains of cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience.

Cybersecurity Maturity is divided into five levels, beginning at Baseline and progressing through Evolving, Intermediate, and Advanced, to Innovative. Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of a financial institution can consistently produce the desired outcomes. In responding to the CAT, financial institutions may now enter supplementary or complementary behaviors or applicable controls that will be taken into account to establish inherent risk and maturity ratings. This means that other strong institutional practices, such as applicable general IT controls, will be taken into account when determining an institution’s risk and maturity profile.

This update reflects the need for flexibility and the differing approaches to cybersecurity and incident preparedness and response. As cyber threats evolve and become more sophisticated, institutions’ overall, organization-wide approach to cybersecurity preparedness has shifted, with cybersecurity an area of focus across many core areas of operation. By attempting to take those changes into account, the CAT continues to evolve and a review of the updated version by institutions in this sector is prudent.

For more information on the CAT update, visit the FFIEC’s cybersecurity awareness page at https://www.ffiec.gov/cybersecurity.htm.

Rupinder Garcha, in our New York office, contributed to this post.