The FFIEC Cybersecurity Assessment Tool

Data Security Knowledge Base

A Framework for Measuring Cybersecurity Risk and Preparedness in the Financial Industry

Text

The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs.

The FFIEC’s tool measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. Ultimately, the tool allows management to make risk-driven security management decisions through regular cybersecurity assessments using standardized criteria for risk measurement.

How the FFIEC Cybersecurity Assessment Tool Works

Text

The FFIEC Cybersecurity Assessment Tool works by building a measurable picture of an organization's levels of risk and preparedness. Management conducts a two-part survey, including:

  1. An Inherent Risk Profile, which determines an organization's current level of cybersecurity risk.
  2. A Cybersecurity Maturity assessment, which identifies an organization's current cybersecurity preparedness level, as defined by maturity scores in five distinct domains (see below).

Details on how to complete each component can be found in the FFIEC CAT User's Guide. The FFIEC cybersecurity assessment is meant to be completed periodically and also after significant technological or operational changes. Despite concerns among financial institutions that not using the tool could lead to regulatory issues, using the FFIEC tool is voluntary. However, the tool is becoming widely used in the financial industry as auditors are increasingly requiring companies to complete an assessment to demonstrate FFIEC CAT compliance.

How the FFIEC Cybersecurity Assessment Tool Measures Risk and Maturity

Text

The FFIEC Cybersecurity Assessment Tool measures both the security risk present in an institution and the institution's preparedness to mitigate that risk. These two factors are measured across the following categories:

FFIEC CAT Inherent Risk Profile Assessment Categories

The FFIEC's Inherent Risk Profile assessment measures risks across the following five categories:

Technologies and Connection Types

Some types of technologies and the networks they connect to come with a higher inherent risk level. In this category, managers examine the number of connections from third parties and ISPs, the number of unsecured connections, whether hosting is outsourced or handled internally, and several other factors.

Delivery Channels

Some delivery channels for company products and services pose a higher risk than others. More delivery channels, and more diverse delivery channels, means a higher inherent risk. In this category, risk is measured across websites, web and mobile applications, and ATMs.

Online and/or Mobile Products and Tech Services

The security of an institution varies depending on the different technology products and services they offer. Payment services and transaction services such as credit cards, wire transfers, person-to-person payments, and correspondent banking all come with different security challenges that are assessed in this category.

Organizational Characteristics

In this category, characteristics of the institution itself are examined, including number of direct employees, changes in security staff, number of users with elevated security privileges, locations of data centers, and more.

External Threats

The number of attacks (and the type of attacks) sustained by an organization factor into its risk assessment under this section of the FFIEC Cybersecurity Assessment Tool.

FFIEC CAT Maturity Assessment Categories

Text

The FFIEC’s Cybersecurity Maturity assessment assigns values to maturity levels in the following five domains:

Cyber Risk Management and Oversight

Does the board of directors oversee management's commitment to an institution-wide cybersecurity program? This assessment examines oversight in terms of strategy, policies, robustness of the risk management program, staffing and budgeting of the program, culture, and training.

Benefits of the FFIEC Cybersecurity Assessment Tool

Text

The benefits provided by the FFIEC Cybersecurity Assessment Tool are varied, but generally they bring a measure of scrutiny and control to a too-often overlooked yet critical area of an institution. Using the FFIEC CAT can help your organization:

Identify areas of risk proactively, before there is a problem

Determine the depth and breadth of cyber risk your organization is exposed to

Discover the institution's preparedness to deal with the cyber threats it faces

Make decisions about security processes and programs based on the true nature of existing risk

Use a measurable and repeatable process to assess risk preparedness over time

Understand, address, and mitigate cybersecurity risks

Best Practices for Using the FFIEC Cybersecurity Assessment Tool

Text

Organizations should follow best practices for successful implementation of the FFIEC Cybersecurity Assessment Tool, including:

Use the tool as an enterprise-wide diagnostic

Management can review the results of the Inherent Risk Profile to gain insight into the policies, processes, procedures, and controls in place enterprise-wide, with a view to fixing the deficits.

Use the tool before launching new products, services, or initiatives

Before entering periods of significant change, management can use the FFIEC tool to understand how the proposed changes might affect the organization's risk profile and desired cybersecurity maturity levels. The tool can also be used after changes have been implemented to measure their impact on risk and preparedness across the organization.

For each risk category in the FFIEC Inherent Risk Profile,

choose the inherent risk level that best matches each product, service, or activity. The different risk levels are least, minimal, moderate, significant, and most.

For each domain in the FFIEC Cybersecurity Maturity assessment,

management should rate the institution's maturity as either baseline, evolving, intermediate, advanced, or innovative.

To complete the FFIEC Cybersecurity Assessment Tool,

management should first read the overview, followed by the User's Guide. Next, complete the Inherent Risk Profile and the Cybersecurity Maturity assessment and then interpret and analyze the organization's results.

Get Answers to FFIEC Cybersecurity Assessment Tool FAQ

Text

Visit the following resources for more details and guidance on successfully implementing the FFIEC Cybersecurity Assessment Tool and answers to frequently asked questions.