Skip to main content

FFIEC Cybersecurity Assessment Tool

September 21, 2022
clock 3 MIN READ

What is the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool (CAT) is a method used to measure a financial institution’s cybersecurity risk and preparedness over time. While the primary guidance is for national banks, community banks, and credit unions of all sizes, it can also be helpful for non-depository institutions. 

The CAT is composed of controls across various maturity levels and approximately 30% of those controls relate to the National Institute of Standards and Technology’s (NIST) cybersecurity framework. 

How does the CAT work?

After obtaining the assessment, users select the most appropriate risk level across hundreds of controls under the inherent risk profile. Cybersecurity maturity is determined based on the selected declarative statements for each assessment factor. As a result, the CAT provides users with measurable and repeatable processes by combining responses from part one and two in the assessment.

Cyber risk and maturity defined

Part 1: Inherent risk profile is the level of risk posed to your institution by:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

Part 2: Cybersecurity maturity measures your level of risk and corresponding controls.

This includes controls to determine whether your institution’s processes support cybersecurity preparedness within five domains: 

  • Domain 1: Cyber risk management and oversight
  • Domain 2: Threat intelligence and collaboration
  • Domain 3: Cybersecurity controls
  • Domain 4: External dependency management
  • Domain 5: Cyber incident management and resilience

How often should you complete the assessment?

Auditors increasingly request institutions to complete the assessment to demonstrate compliance, making CAT widely used across financial services. It’s best practice to conduct the assessment annually to help institutions with cybersecurity strategy and business growth, and to keep them up to date on controls. 

Finding the right cybersecurity partner

Completing the CAT is not a simple task. It may pose as a burden for IT and risk professionals so when working with cybersecurity partners, it is crucial the partner selected can do the following:

  1. Help provide responses based on the cybersecurity program they have implemented for your organization 
  2. Improve your organization’s risk posture
  3. Prove their firm also has a mature cybersecurity program in place 

Inheriting SEI’s maturity

Over two decades ago, SEI built a cybersecurity program to protect its own assets. As a highly regulated financial institution, audits are an ongoing process and an investment in cybersecurity is a priority. We realized financial services firms deserve a highly secured program to protect themselves and their clients from threat actors. 

The cybersecurity program and protection we provide to our clients is the same level of protection we use for ourselves, ultimately, allowing our clients to inherit our maturity and experience.

Example of how a firm inherits SEI’s maturity
Domain Assessment Factor Component Maturity Level Mapping Number Declarative Statement
2:Threat Intelligence & Collaboration  1: Threat Intelligence 1: Threat Intelligence & Information Innovative D2.TI.Ti.Inn.2 The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared.
2:Threat Intelligence & Collaboration 2: Monitoring & Analyzing 1: Monitoring and Analyzing Innovative D2.MA.Ma.Inn.1 The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends. 
2:Threat Intelligence & Collaboration 2: Monitoring & Analyzing 1: Monitoring and Analyzing Innovative D2.Ma.Ma.Inn.2 Highest risk scenarios are used to predict threats against specific business targets.
3: Cybersecurity Controls 2: Detective Controls 3: Event Detection Innovative D3.Dc.Ev.Inn.1 The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur. 


More from The Sphere Blog

Helping to identify the intersection of people, process, tools and budget for optimal risk control.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.