Posted on Aug 27, 2017

A Quick Look at FFIEC's Assessment Tool

The Federal Financial Institution Examination Council (FFIEC) recently issued the Cybersecurity Assessment Tool (CAT). For U.S. financial institutions that fall under the FFIEC’s purview, this is a framework that can facilitate discussions about an organization’s cybersecurity maturity. As its name suggests, the CAT is a measurement of overall cybersecurity preparedness that the FFIEC recommends as a standard for financial institutions to use when assessing risk.

CAT Components

The CAT is a robust and detailed survey which breaks the assessment process down into two key parts. (For SecurityScorecard users, getting the information required to respond to many of these questions can be expedited by looking at factor-level grades and issue types in your Scorecard.)

Part One is used to help management evaluate the organization’s inherent risk profile based on five risk areas:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

Part Two is used to assess the organization’s maturity in five cybersecurity domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

Each level of maturity within each domain includes a detailed description the behaviors, practices, and processes required of the financial institution to achieve that level of maturity. Ultimately, this draws out a potential roadmap for organizations looking to improve their security posture.

Using the CAT may allow financial institutions to gain a deeper understanding of their risk profile and what risk category they fall into, how mature their cybersecurity policies and procedures are, and (most importantly) if their policies and procedures are appropriate given their risk profile. FFIEC recommends performing cybersecurity assessments at least once a year or as often as any new information on cyber threats is shared or if a new electronic service is added to the institutions workflow.

Lastly, if a financial institution opts out of utilizing the CAT, FFIEC still recommends that organizations select another industry standard framework to help identify risk profile.

For SecurityScorecard users, you can find our available compliance frameworks simply by clicking the “Compliance tab.” By selecting a framework, your Scorecard findings are mapped to the framework of your choice.

Reference: https://www.ffiec.gov/cyberassessmenttool.htm

Security Research in your Inbox

Thanks for siging up for the newsletter!

Our Platform

Learn How It Works

Find out how we use open source intelligence, proprietary and open data feeds, and deep machine learning systems to correlate, attribute, and prioritize risks.

Learn About the Platform

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!