A Framework for Measuring Cybersecurity Risk and Preparedness in the Financial Industry
The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs.
The FFIEC’s tool measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. Ultimately, the tool allows management to make risk-driven security management decisions through regular cybersecurity assessments using standardized criteria for risk measurement.
How the FFIEC Cybersecurity Assessment Tool Works
The FFIEC Cybersecurity Assessment Tool works by building a measurable picture of an organization's levels of risk and preparedness. Management conducts a two-part survey, including:
- An Inherent Risk Profile, which determines an organization's current level of cybersecurity risk.
- A Cybersecurity Maturity assessment, which identifies an organization's current cybersecurity preparedness level, as defined by maturity scores in five distinct domains (see below).
Details on how to complete each component can be found in the FFIEC CAT User's Guide. The FFIEC cybersecurity assessment is meant to be completed periodically and also after significant technological or operational changes. Despite concerns among financial institutions that not using the tool could lead to regulatory issues, using the FFIEC tool is voluntary. However, the tool is becoming widely used in the financial industry as auditors are increasingly requiring companies to complete an assessment to demonstrate FFIEC CAT compliance.
How the FFIEC Cybersecurity Assessment Tool Measures Risk and Maturity
The FFIEC Cybersecurity Assessment Tool measures both the security risk present in an institution and the institution's preparedness to mitigate that risk. These two factors are measured across the following categories:
FFIEC CAT Inherent Risk Profile Assessment Categories
The FFIEC's Inherent Risk Profile assessment measures risks across the following five categories:
Technologies and Connection Types
Delivery Channels
Online and/or Mobile Products and Tech Services
Organizational Characteristics
External Threats
FFIEC CAT Maturity Assessment Categories
The FFIEC’s Cybersecurity Maturity assessment assigns values to maturity levels in the following five domains:
Cyber Risk Management and Oversight
Does the board of directors oversee management's commitment to an institution-wide cybersecurity program? This assessment examines oversight in terms of strategy, policies, robustness of the risk management program, staffing and budgeting of the program, culture, and training.
Threat Intelligence and Collaboration
What processes are in place to uncover, analyze, and share findings on evolving cybersecurity threats? In this domain, management grades the institution in terms of threat intelligence, monitoring/analyzing, and relationships between peers and internal stakeholders that facilitate or hinder cyber threat information sharing.
Cybersecurity Controls
What's the current maturity of controls in place to protect infrastructure, assets, and information through constant, automated monitoring and protection? In this domain, controls are assessed from detective, preventative, and corrective perspectives.
External Dependency Management
This FFIEC maturity assessment domain delves into the organization's existing program to oversee and managed third-party relationships and external connections that have access to the enterprise's information and technology assets.
Cyber Incident Management Resilience
In this domain, FFIEC assessors within the organization evaluate its response to cyber threat events, including planning and testing to recover normal operations after an event.
Benefits of the FFIEC Cybersecurity Assessment Tool
The benefits provided by the FFIEC Cybersecurity Assessment Tool are varied, but generally they bring a measure of scrutiny and control to a too-often overlooked yet critical area of an institution. Using the FFIEC CAT can help your organization:
Identify areas of risk proactively, before there is a problem
Determine the depth and breadth of cyber risk your organization is exposed to
Discover the institution's preparedness to deal with the cyber threats it faces
Make decisions about security processes and programs based on the true nature of existing risk
Use a measurable and repeatable process to assess risk preparedness over time
Understand, address, and mitigate cybersecurity risks
Best Practices for Using the FFIEC Cybersecurity Assessment Tool
Organizations should follow best practices for successful implementation of the FFIEC Cybersecurity Assessment Tool, including:
Use the tool as an enterprise-wide diagnostic
Use the tool before launching new products, services, or initiatives
For each risk category in the FFIEC Inherent Risk Profile,
For each domain in the FFIEC Cybersecurity Maturity assessment,
To complete the FFIEC Cybersecurity Assessment Tool,
Get Answers to FFIEC Cybersecurity Assessment Tool FAQ
Visit the following resources for more details and guidance on successfully implementing the FFIEC Cybersecurity Assessment Tool and answers to frequently asked questions.
- See this FFIEC.Gov document for a full exploration of the FFIEC Cybersecurity Assessment Tool, including detailed instructions for how to perform and deliver the required tests and documentation.
- The FFIEC IT Examination Handbook provides comprehensive information on information security program governance, management, and effectiveness.
- The FFIEC Cybersecurity Assessment Tool's resource page at FFIEC.gov provides links to the user's guide, Inherent Risk Profile, Cybersecurity Maturity document, and a list of steps for proper process flow.
- See the FFIEC User's Guide here.
- See the FFIEC Inherent Risk Profile here for part one of the two-part FFIEC Cybersecurity Assessment Tool.
- See the FFIEC Cybersecurity Maturity assessment here for part two of the two-part FFIEC Cybersecurity Assessment Tool.