Skip to Content

The CAT is out of the bag: Six steps to effectively adopt the Cybersecurity Assessment Tool

June 17, 2016 Article 1 min read
The Cybersecurity Assessment Tool is creating a whirlwind of change in the industry. Implementing CAT involves some extra effort, but financial institutions already using it are benefiting.

On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released the Cybersecurity Assessment Tool (CAT), creating a whirlwind of change in the industry. Multiple IT examination handbooks were updated, regulators began adjusting exam scopes, and financial institutions began asking how the change should impact their action plans.

The overall goal of the CAT is to help financial institutions increase risk awareness, as well as to provide a catalog of controls to implement. While the CAT was introduced as an option, not a requirement, it has been incorporated into regulatory examinations thus far, and it is expected to be a continued focus during regulatory examinations.

Even if a financial institution has time before regulators request CAT results, recognize that it also takes time to complete the tool and reach desired control maturity levels. If they haven’t already, financial institutions can start adopting the tool now by completing the following steps:

  1. Read the FFIEC guidance to understand the different aspects of the assessment.
  2. Gather appropriate team members, and complete the financial institution’s inherent risk profile.
  3. Identify the financial institution’s target cybersecurity maturity level.
  4. Complete the cybersecurity maturity assessment, and develop action plans for areas below target. For areas at target, determine if more mature controls should be implemented.
  5. Present assessment results, plans, and progress to the board of directors.
  6. Include the CAT within annual review processes.

While the CAT is the recommended tool for financial institutions and the approach regulators will be trained on, it’s still not technically required for organizations already using an approved cybersecurity approach such as the National Institute of Standards and Technology (NIST) framework. However, if financial institutions are using a tool other than the FFIEC CAT, they still should map the results back to the tool to assist with examiner discussions.

While implementing CAT involves some extra effort, financial institutions currently using the tool find it valuable and appreciate the results. To learn more about CAT, or for assistance with the adoption process, contact Colin Taggart, associate of Plante Moran’s cybersecurity practice, at 248-223-3235 or

Related Thinking

Business professionals in a conference meeting.
November 18, 2022

Financial institutions: Top regulatory compliance developments to monitor in 2023

Article 4 min read
Person holding telescope
November 14, 2022

How to spot a fraudster: Red flags that may indicate occupational fraud

Article 3 min read
Business professionals in a conference meeting.
November 9, 2022

2022 Financial Services Symposium