The FFIEC Cybersecurity Assessment Tool: A Framework for Measuring Cybersecurity Risk and Preparedness in the Financial Industry
The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs.
The FFIEC’s tool measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. Ultimately, the tool allows management to make risk-driven security management decisions through regular cybersecurity assessments using standardized criteria for risk measurement.
How the FFIEC Cybersecurity Assessment Tool Works
The FFIEC Cybersecurity Assessment Tool works by building a measurable picture of an organization's levels of risk and preparedness. Management conducts a two-part survey, including:
- An Inherent Risk Profile, which determines an organization's current level of cybersecurity risk.
- A Cybersecurity Maturity assessment, which identifies an organization's current cybersecurity preparedness level, as defined by maturity scores in five distinct domains (see below).
Details on how to complete each component can be found in the FFIEC CAT User's Guide. The FFIEC cybersecurity assessment is meant to be completed periodically and also after significant technological or operational changes. Despite concerns among financial institutions that not using the tool could lead to regulatory issues, using the FFIEC tool is voluntary. However, the tool is becoming widely used in the financial industry as auditors are increasingly requiring companies to complete an assessment to demonstrate FFIEC CAT compliance.
How the FFIEC Cybersecurity Assessment Tool Measures Risk and Maturity
The FFIEC Cybersecurity Assessment Tool measures both the security risk present in an institution and the institution's preparedness to mitigate that risk. These two factors are measured across the following categories:
FFIEC CAT Inherent Risk Profile Assessment Categories
The FFIEC's Inherent Risk Profile assessment measures risks across the following five categories:
- Technologies and Connection Types: Some types of technologies and the networks they connect to come with a higher inherent risk level. In this category, managers examine the number of connections from third parties and ISPs, the number of unsecured connections, whether hosting is outsourced or handled internally, and several other factors.
- Delivery Channels: Some delivery channels for company products and services pose a higher risk than others. More delivery channels, and more diverse delivery channels, means a higher inherent risk. In this category, risk is measured across websites, web and mobile applications, and ATMs.
- Online and/or Mobile Products and Tech Services: The security of an institution varies depending on the different technology products and services they offer. Payment services and transaction services such as credit cards, wire transfers, person-to-person payments, and correspondent banking all come with different security challenges that are assessed in this category.
- Organizational Characteristics: In this category, characteristics of the institution itself are examined, including number of direct employees, changes in security staff, number of users with elevated security privileges, locations of data centers, and more.
- External Threats: The number of attacks (and the type of attacks) sustained by an organization factor into its risk assessment under this section of the FFIEC Cybersecurity Assessment Tool.
FFIEC CAT Maturity Assessment Categories
The FFIEC’s Cybersecurity Maturity assessment assigns values to maturity levels in the following five domains:
- Cyber Risk Management and Oversight: Does the board of directors oversee management's commitment to an institution-wide cybersecurity program? This assessment examines oversight in terms of strategy, policies, robustness of the risk management program, staffing and budgeting of the program, culture, and training.
- Threat Intelligence and Collaboration: What processes are in place to uncover, analyze, and share findings on evolving cybersecurity threats? In this domain, management grades the institution in terms of threat intelligence, monitoring/analyzing, and relationships between peers and internal stakeholders that facilitate or hinder cyber threat information sharing.
- Cybersecurity Controls: What's the current maturity of controls in place to protect infrastructure, assets, and information through constant, automated monitoring and protection? In this domain, controls are assessed from detective, preventative, and corrective perspectives.
- External Dependency Management: This FFIEC maturity assessment domain delves into the organization's existing program to oversee and managed third-party relationships and external connections that have access to the enterprise's information and technology assets.
- Cyber Incident Management Resilience: In this domain, FFIEC assessors within the organization evaluate its response to cyber threat events, including planning and testing to recover normal operations after an event.
Benefits of the FFIEC Cybersecurity Assessment Tool
The benefits provided by the FFIEC Cybersecurity Assessment Tool are varied, but generally they bring a measure of scrutiny and control to a too-often overlooked yet critical area of an institution. Using the FFIEC CAT can help your organization:
- Identify areas of risk proactively, before there is a problem
- Determine the depth and breadth of cyber risk your organization is exposed to
- Discover the institution's preparedness to deal with the cyber threats it faces
- Make decisions about security processes and programs based on the true nature of existing risk
- Use a measurable and repeatable process to assess risk preparedness over time
- Understand, address, and mitigate cybersecurity risks
Best Practices for Using the FFIEC Cybersecurity Assessment Tool
Organizations should follow best practices for successful implementation of the FFIEC Cybersecurity Assessment Tool, including:
- Use the tool as an enterprise-wide diagnostic: Management can review the results of the Inherent Risk Profile to gain insight into the policies, processes, procedures, and controls in place enterprise-wide, with a view to fixing the deficits.
- Use the tool before launching new products, services, or initiatives: Before entering periods of significant change, management can use the FFIEC tool to understand how the proposed changes might affect the organization's risk profile and desired cybersecurity maturity levels. The tool can also be used after changes have been implemented to measure their impact on risk and preparedness across the organization.
- For each risk category in the FFIEC Inherent Risk Profile, choose the inherent risk level that best matches each product, service, or activity. The different risk levels are least, minimal, moderate, significant, and most.
- For each domain in the FFIEC Cybersecurity Maturity assessment, management should rate the institution's maturity as either baseline, evolving, intermediate, advanced, or innovative.
- To complete the FFIEC Cybersecurity Assessment Tool, management should first read the overview, followed by the User's Guide. Next, complete the Inherent Risk Profile and the Cybersecurity Maturity assessment and then interpret and analyze the organization's results.
Get Answers to FFIEC Cybersecurity Assessment Tool FAQ
Visit the following resources for more details and guidance on successfully implementing the FFIEC Cybersecurity Assessment Tool and answers to frequently asked questions.
- See this FFIEC.Gov document for a full exploration of the FFIEC Cybersecurity Assessment Tool, including detailed instructions for how to perform and deliver the required tests and documentation.
- The FFIEC IT Examination Handbook provides comprehensive information on information security program governance, management, and effectiveness.
- The FFIEC Cybersecurity Assessment Tool's resource page at FFIEC.gov provides links to the user's guide, Inherent Risk Profile, Cybersecurity Maturity document, and a list of steps for proper process flow.
- See the FFIEC User's Guide here.
- See the FFIEC Inherent Risk Profile here for part one of the two-part FFIEC Cybersecurity Assessment Tool.
- See the FFIEC Cybersecurity Maturity assessment here for part two of the two-part FFIEC Cybersecurity Assessment Tool.