The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help banks and credit unions identify cybersecurity risks and determine their preparedness. The CAT is also useful for non-depository institutions. The CAT provides a measurable process for your financial institution to determine cybersecurity preparedness over time.
The CAT uses the NIST Cybersecurity Framework and tailors its guidance for banks and credit unions. The CAT consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
Part 1: Inherent Risk Profile
Cybersecurity inherent risk is the level of risk posed to your institution by:
- Technologies and connection types
- Delivery channels
- Online/mobile products and technology services
- Organizational characteristics
- External threats
After completing the profile, you will be able to categorize your institution’s inherent risk into one of the following categories:
- Least inherent risk
- Minimal inherent risk
- Moderate inherent risk
- Significant inherent risk
- Most inherent risk
Part 2: Cybersecurity Maturity
The Cybersecurity Maturity part of the CAT can help you measure level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether your institution’s behaviors, practices, and processes support cybersecurity preparedness within five domains. The five domains include:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
The baseline level of maturity reflects minimum expectations required by law, regulations, or recommended in supervisory guidance. After this review, determine appropriate maturity levels in each domain or the target state for Cybersecurity Maturity. Management can then develop action plans for achieving the target state.
Upon completion of the risk profile and maturity sections, evaluate whether your institution’s inherent risk and preparedness are aligned.
Additional Resources for
FFIEC Information Technology Handbooks
The FFIEC also maintains Information Technology Handbooks. These handbooks are detailed guides to information technology.
The FFIEC Examiner Education Office also created the FFIEC InfoBase. The InfoBase has training materials on specific topics of interest to field examiners from the FFIEC member agencies.