On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC) released the Cybersecurity Assessment Tool (CAT), creating a whirlwind of change in the industry. Multiple IT examination handbooks were updated, regulators began adjusting exam scopes, and financial institutions began asking how the change should impact their action plans.
The overall goal of the CAT is to help financial institutions increase risk awareness, as well as to provide a catalog of controls to implement. While the CAT was introduced as an option, not a requirement, it has been incorporated into regulatory examinations thus far, and it is expected to be a continued focus during regulatory examinations.
Even if a financial institution has time before regulators request CAT results, recognize that it also takes time to complete the tool and reach desired control maturity levels. If they haven’t already, financial institutions can start adopting the tool now by completing the following steps:
- Read the FFIEC guidance to understand the different aspects of the assessment, and download the Cybersecurity Assessment Tool >>
- Gather appropriate team members, and complete the financial institution’s inherent risk profile.
- Identify the financial institution’s target cybersecurity maturity level.
- Complete the cybersecurity maturity assessment, and develop action plans for areas below target. For areas at target, determine if more mature controls should be implemented.
- Present assessment results, plans, and progress to the board of directors.
- Include the CAT within annual review processes.
While the CAT is the recommended tool for financial institutions and the approach regulators will be trained on, it’s still not technically required for organizations already using an approved cybersecurity approach such as the National Institute of Standards and Technology (NIST) framework. However, if financial institutions are using a tool other than the FFIEC CAT, they still should map the results back to the tool to assist with examiner discussions.
While implementing CAT involves some extra effort, financial institutions currently using the tool find it valuable and appreciate the results. To learn more about CAT, or for assistance with the adoption process, contact Colin Taggart, associate of Plante Moran’s cybersecurity practice, at 248-223-3235 or Colin.Taggart@plantemoran.com.