On June 30, 2015, the FFIEC released a new Cybersecurity Assessment Tool. (Yes, the acronym CAT is already in use.) The tool is designed to help financial institutions, such as banks and credit unions, identify their inherent cybersecurity risk and assess their cybersecurity preparedness. It is based on findings from last year’s pilot assessment on cybersecurity preparedness at more than 500 community financial institutions.
The CAT is comprised of the following pdf documents:
- Overview for Chief Executive Officers and Board of Directors
- User’s Guide
- Inherent Risk Profile
- Cybersecurity Maturity
- Additional Resources
These documents and a guide describing their use (Process Flow for Institutions) as well as a short, 20-minute video on how to utilize the tool are included on the FFIEC website at the following location, www.ffiec.gov/cyberassessmenttool.htm.
Take note, the FFIEC states this process is intended to complement, not replace, an institution’s existing risk management process and cybersecurity program. However, you would be wise to begin using the CAT, rather than relying solely on existing risk management. Examiners will gradually begin to look for and use the tool during examinations in order to determine an institution’s inherent risk profile and level of cybersecurity preparedness.
I like the design and structure of the CAT as the risk and preparedness assessment process is straight-forward, but do not think the tool is easy. It is comprehensive, covering five detailed risk categories which include 39 different activities, services, or products (each with five levels of risk: Least, Minimal, Moderate, Significant and Most), and preparedness includes five domains with a total of 494 declarative statements. Take another note: do not wait to start this process until the night before examiners arrive.
How do you determine your inherent risk level? As an example, one of the services in the risk assessment is Wireless Network Access. To determine the risk you select the level describing your institution:
- No Wireless = Least
- Separate access for guests and corporate = Minimal
- Guest and corporate wireless network access are logically separated; limited number of users and access points (1–250 users; 1–25 access points) = Moderate
- Wireless corporate network access; significant number of users and access points (251–1,000 users; 26–100 access points) = Significant
- Wireless corporate network access; all employees have access; substantial number of access points (>1,000 users; >100 access points) = Most
Did you select one of the above levels? Congratulations, you have completed a risk ranking for one of the services. Now continue on; you only have 38 more to go.
How does the Maturity section work? Here is the short answer. You respond, “Yes” or “No” to the all declarative statements. The yeses calculate your maturity level for each component. There are five maturity levels: Baseline, Evolving, Intermediate, Advanced and Innovative. In a perfect world, your preparedness would be Innovative for all of the components. Realistically, your maturity preparedness ratings will be scattered across all levels. To advance in preparedness levels all declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that level.
When you finish, the Board or a committee of the Board must decide if the Maturity levels are acceptable in relation to the risk. If it is not acceptable, you must either lower risk levels or raise the preparedness level.
The good news is you have a new CAT, with all of its detail, to guide you toward a “process of protecting information by preventing, detecting, and responding to attacks.”