FFIEC Cybersecurity Assessment Tool
Measuring cybersecurity risk and preparedness for financial institutions.
FFIEC Cybersecurity Assessment Tool
What is the FFIEC Cybersecurity Assessment Tool?
The FFIEC Cybersecurity Assessment Tool (CAT) is a method used to measure a financial institution’s cybersecurity risk and preparedness over time. While the primary guidance is for national banks, community banks, and credit unions of all sizes, it can also be helpful for non-depository institutions.
The CAT is composed of controls across various maturity levels and approximately 30% of those controls relate to the National Institute of Standards and Technology’s (NIST) cybersecurity framework.
How does the CAT work?
After obtaining the assessment, users select the most appropriate risk level across hundreds of controls under the inherent risk profile. Cybersecurity maturity is determined based on the selected declarative statements for each assessment factor. As a result, the CAT provides users with measurable and repeatable processes by combining responses from part one and two in the assessment.
Cyber risk and maturity defined
Part 1: Inherent risk profile is the level of risk posed to your institution by:
- Technologies and connection types
- Delivery channels
- Online/mobile products and technology services
- Organizational characteristics
- External threats
Part 2: Cybersecurity maturity measures your level of risk and corresponding controls.
This includes controls to determine whether your institution’s processes support cybersecurity preparedness within five domains:
- Domain 1: Cyber risk management and oversight
- Domain 2: Threat intelligence and collaboration
- Domain 3: Cybersecurity controls
- Domain 4: External dependency management
- Domain 5: Cyber incident management and resilience
How often should you complete the assessment?
Auditors increasingly request institutions to complete the assessment to demonstrate compliance, making CAT widely used across financial services. It’s best practice to conduct the assessment annually to help institutions with cybersecurity strategy and business growth, and to keep them up to date on controls.
Finding the right cybersecurity partner
Completing the CAT is not a simple task. It may pose as a burden for IT and risk professionals so when working with cybersecurity partners, it is crucial the partner selected can do the following:
- Help provide responses based on the cybersecurity program they have implemented for your organization
- Improve your organization’s risk posture
- Prove their firm also has a mature cybersecurity program in place
Inheriting SEI’s maturity
Over two decades ago, SEI built a cybersecurity program to protect its own assets. As a highly regulated financial institution, audits are an ongoing process and an investment in cybersecurity is a priority. We realized financial services firms deserve a highly secured program to protect themselves and their clients from threat actors.
The cybersecurity program and protection we provide to our clients is the same level of protection we use for ourselves, ultimately, allowing our clients to inherit our maturity and experience.
|Example of how a firm inherits SEI’s maturity|
|Domain||Assessment Factor||Component||Maturity Level||Mapping Number||Declarative Statement|
|2:Threat Intelligence & Collaboration||1: Threat Intelligence||1: Threat Intelligence & Information||Innovative||D2.TI.Ti.Inn.2||The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared.|
|2:Threat Intelligence & Collaboration||2: Monitoring & Analyzing||1: Monitoring and Analyzing||Innovative||D2.MA.Ma.Inn.1||The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends.|
|2:Threat Intelligence & Collaboration||2: Monitoring & Analyzing||1: Monitoring and Analyzing||Innovative||D2.Ma.Ma.Inn.2||Highest risk scenarios are used to predict threats against specific business targets.|
|3: Cybersecurity Controls||2: Detective Controls||3: Event Detection||Innovative||D3.Dc.Ev.Inn.1||The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur.|
More from The Sphere Blog
Helping to identify the intersection of people, process, tools and budget for optimal risk control.