The Federal Financial Institutions Examination Council (FFIEC) is a governmental body made up of five banking regulators. Its objective is to promote uniformity in the supervision of financial institutions. To that end, it provides organizations with a FFIEC cybersecurity assessment tool that is designed to help them identify, assess and mitigate their cybersecurity risk. Further analysis of the components of this framework will help you to understand how this solution can assist your company in its preparedness against the risks that are inherent in today’s cyber environment.
What is The FFIEC CAT?
Institutions use the FFIEC Cybersecurity Assessment Tool (CAT) to test their current level of risk as well as the maturity of their security strategies. Given the complexity of most business infrastructures, the FFIEC cybersecurity tool offers various criteria that you can use as you measure the effectiveness of your current security profile. These include external threats, delivery channels, connection types and organization-specific features.
The FFIEC CAT assists the management of an institution in developing a comprehensive and measurable picture of their current risk and security posture. The FFIEC cybersecurity framework consists of a two-part survey that includes the following:
- An inherent risk profile showing a company’s current risk level;
- A cybersecurity maturity assessment that measures an organization’s preparedness to mitigate risks.
The reports obtained after conducting this assessment can help the user to better understand their current risk climate in order to make necessary changes and to comply with new industry regulatory requirements.
FFIEC CAT Inherent Risk Profile Categories
In this portion of the assessment, you will view your risks across five categories:
- Technology and connection types. Since interfacing with others is one of the most risk-laden aspects of doing business, this category examines all third-party, unsecured and ASP connections.
- Delivery channels. This category looks at risk that can come from websites, mobile applications and ATM services.
- Technology and online products and services. Depending on your industry and work scope, these various services can pose numerous risks that must be considered.
- Organizational characteristics. These are features having directly to do with your particular company such as locations of data centers, number of employees with elevated security privileges, number of in-house employees, security staff changes, etc.
- External threats. This category considers the number and type of cybersecurity attacks and incidents your organization has experienced.
FFIEC CAT Maturity Assessment Categories
This section measures your organization’s preparedness levels in five areas:
- Cyber risk management and oversight. This area specifies who oversees your risk strategy, protocols, program strength, budgeting, staffing and training.
- Threat intelligence and collaboration. The institution is assessed according to how well its systems detect and predict security threats as well as its monitoring and analysis and the effectiveness of the relationships among stakeholders.
- Cybersecurity controls. This category grades your automated tools to see how well they protect your data and assets via prevention, detection and correction.
- External dependency management. This examines all of your oversight and management of all consumer and third-party relationships and connections that have any level of access to your internal data or systems.
- Cyber incident management resilience. This category examines how well your company has responded to security events.
How To Use The FFIEC Cybersecurity Assessment Results
Once your management team has completed the FFIEC CAT, you can put its findings to work in a number of important ways. These include the following:
Communicate the inherent risk findings to all stakeholders, modifying any policies, procedures or practices that lead to vulnerabilities;
Use the results as you contemplate making major changes to your infrastructure as well as after any modifications have been made in order to continually keep your risk profile as a top priority;
- When considering risk levels, rate each product, activity or service as least, minimal, moderate, significant and most;
- In terms of maturity assessment, rate each area as baseline, evolving, intermediate, advanced or innovative.
By engaging in this best practices process, you can accurately communicate an accurate snapshot of your company’s current risk and maturity status to directors and other stakeholders.
Awareness is only the first step in any program. Simply having your management team implement the FFIEC assessment tool will not support your ultimate goal of minimizing threats to your vital data and systems. An equally important part of your duty is to act on its findings. Use them as a guide that can help you to minimize threat risks and update and improve your security systems. When you fully utilize these resources, your networks, programs and services will be better protected against internal and external threats.