Posted on Aug 27, 2017
The Federal Financial Institution Examination Council (FFIEC) recently issued the Cybersecurity Assessment Tool (CAT). For U.S. financial institutions that fall under the FFIEC’s purview, this is a framework that can facilitate discussions about an organization’s cybersecurity maturity. As its name suggests, the CAT is a measurement of overall cybersecurity preparedness that the FFIEC recommends as a standard for financial institutions to use when assessing risk.
The CAT is a robust and detailed survey which breaks the assessment process down into two key parts. (For SecurityScorecard users, getting the information required to respond to many of these questions can be expedited by looking at factor-level grades and issue types in your Scorecard.)
Part One is used to help management evaluate the organization’s inherent risk profile based on five risk areas:
Part Two is used to assess the organization’s maturity in five cybersecurity domains:
Each level of maturity within each domain includes a detailed description the behaviors, practices, and processes required of the financial institution to achieve that level of maturity. Ultimately, this draws out a potential roadmap for organizations looking to improve their security posture.
Using the CAT may allow financial institutions to gain a deeper understanding of their risk profile and what risk category they fall into, how mature their cybersecurity policies and procedures are, and (most importantly) if their policies and procedures are appropriate given their risk profile. FFIEC recommends performing cybersecurity assessments at least once a year or as often as any new information on cyber threats is shared or if a new electronic service is added to the institutions workflow.
Lastly, if a financial institution opts out of utilizing the CAT, FFIEC still recommends that organizations select another industry standard framework to help identify risk profile.
For SecurityScorecard users, you can find our available compliance frameworks simply by clicking the “Compliance tab.” By selecting a framework, your Scorecard findings are mapped to the framework of your choice.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.