Making the most of the FFIEC Cybersecurity Assessment Tool
INSIGHT ARTICLE |
The new Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) offers financial institutions something that has been sorely lacking to date—a standardized framework they can use to guide their cybersecurity efforts. Community banks are facing mounting cyber threats and increased regulatory pressure to address cyber risks. That being stated, little in the way of concrete guidance, regulatory or otherwise has been received in recent years. This framework provides guidance and first steps on how best to assess the levels of inherent cybersecurity risk and the appropriateness of the maturity levels for your cyber controls with the goal of building an effective cybersecurity program.
What is the CAT?
The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook, regulatory guidance and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The CAT will help community banks with:
- Assessing their inherent risk profile. The CAT gives you a sound, standardized framework tailored specifically to financial institutions that a financial institution can use to assess cybersecurity risk. It provides specific questions to guide your evaluation in five key risk areas:
- Technologies and connection types
- Delivery channels
- Online and mobile products and technology services
- Organizational characteristics
- External threats
- Determining their cybersecurity maturity. Using specific statements and questions, you can assess the maturity of your cybersecurity efforts in five key domains:
- Cyberrisk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber incident management and resilience
By completing the risk profile, you can establish:
- Where your risk profile falls on a five-part continuum, ranging from least to most inherent risk
- Whether your cybersecurity maturity level is baseline, evolving, intermediate, advanced or innovative
- If your maturity level is matched appropriately with your inherent risk profile
Making the most of the CAT
By offering a standardized approach to measuring inherent risk profiles and cybersecurity maturity, the CAT offers welcome relief for financial institutions already swamped with a wide range of regulatory demands. However, while the CAT seems relatively straightforward and was designed so that banks can complete a self-assessment, you should consider the benefits of experienced guidance when undertaking these assessments.
Why? Because both cyberthreats and the approaches used to combat them are evolving rapidly. Are you confident that your internal resources are sufficiently versed on cybersecurity topics to accurately assess the inherent risks to your institution?
Accurately completing the assessment requires agreeing or disagreeing with a series of declarative statements. Consider some of the following examples:
- Management is continuously improving the existing cybersecurity program to adapt, as the desired cybersecurity target state changes.
- The risk management program incorporates cyberrisk identification, measurement, mitigation, monitoring and reporting.
- Threat information received by the institution includes analysis of tactics, patterns and risk mitigation recommendations.
Without sufficient experience, banks could respond in the affirmative too readily or, because they are unsure, fail to give their own efforts sufficient credit. An outside advisor can bring an objective and experienced point of view to the process. It is important, however, to choose one with strong credentials in both cybersecurity and financial services. Such an advisor would also be best able to help you accurately assess your risk and the state of your cybersecurity practices, compared to your industry peers.
Assessing your current risk profile and cybersecurity maturity is, of course, only a start. The assessment may call your attention to gaps between your risk profile and cybersecurity efforts. This is another area where an experienced cybersecurity advisor can add real value on how to remediate and assist you in achieving the required cybersecurity maturity levels.
Cybersecurity has been a growing threat and regulatory concern for community banks for years. But they have often had to rely on confusing or incomplete guidance. By providing a standardized methodology for assessing both risk and response, the CAT gives you a solid framework with which to work. Working with the right advisors can help you make the most of it.