Christopher Cwalina is a Partner and Kaylee Cox is an Associate in Holland & Knight's Washington D.C. office
Today, the Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool (CAT) to assist organizations in identifying cyber risks and assessing their cybersecurity preparedness. The CAT was developed in response to last year's pilot assessment of cybersecurity preparedness at more than 500 institutions and was created such that financial institutions of any size can leverage its methodologies to perform self-assessments.
Despite its name, the CAT is essentially an assessment model, as opposed to a technical tool. The principles set forth in the CAT are consistent with the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework in addition to standard industry practices. The CAT is broken down into two parts: (i) Inherent Risk Profile and (ii) Cybersecurity Maturity, discussed in further detail below.
A critical point about this process, however, is that it is intended to complement, not replace, an institution's risk management process and cybersecurity program.
Part One: Inherent Risk Profile
The first step in completing the assessment is to identify the organization's inherent risk before implementing controls. The organization's inherent risk profile is assessed based on five categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Each category may pose a different level of inherent risk, ranging from Least, Minimal, Moderate, Significant, or Most Inherent Risk. An institution with a Most Inherent Risk Profile typically uses highly complex technologies to provide numerous products and services; whereas, an organization with a Least Inherent Risk Profile generally has very limited use of technology.
Part Two: Cybersecurity Maturity
After identifying the organization's Inherent Risk Profile, the next step is to assess the company's maturity level. The Cybersecurity Maturity assessment includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place; however, the CAT is not designed to identify an overall cybersecurity maturity level and instead allows companies to determine the maturity level for each domain. These five domains include:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
The CAT contains various maturity levels for each domain. These maturity levels are cumulative, starting with the Baseline level (defined as the minimum expectations required by law or recommended in supervisory guidance) and progressing to the Innovative level (characterized by driving innovation in people, processes, and technology for the institution and the industry to manage cyber risks).
To assist in determining which maturity level applies, each level is accompanied by a set of declarative statements, organized by assessment factor that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. Management determines which declarative statements best describe the current practices of the organization, and all declarative statements in each maturity level, and all previous levels, must be met and sustained in order to achieve that domain's maturity level. However, statements that are not applicable to all institutions (and designated as such) will not prevent the organization from achieving that level.
Interpreting the Results
After identifying and reviewing the organization's inherent risk profile and maturity levels across the domains, management can make a determination as to whether the company's maturity levels are appropriate in relation to its risk(s) and implement steps to either to reduce the level of risk or to increase the levels of maturity, as appropriate. As mentioned, this process was designed to supplement an organization's risk management process and cybersecurity program—not replace it.
In addition, the CAT was designed to be a repeatable process, and, as with all cybersecurity programs, assessing cyber risk, maturity, and preparedness is not a one-time procedure. An institution's inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. Thus, management should periodically reevaluating its inherent risk profile and cybersecurity maturity as well as when material changes to its processes or procedures could alter it.
Additional Resources and Implementation Process
The FFIEC has also published several other resources to supplement the CAT, including an overview for chief executive officers and board members, a user's guide, and an online presentation. In addition, FFIEC provided three appendices to supplement the CAT: Appendix A: Mapping Baseline Statements to the FFIEC IT Handbook; Appendix B: Mapping to NIST Cybersecurity Framework (drafted with input from NIST); and Appendix C: Glossary of Terms.
The FFIEC recommends that organizations read and implement these resources in the following order:
- Step 1: Read the Overview for Chief Executive Officers and Boards of Directors
- Step 2: Read the User's Guide
- Step 3: Complete CAT, Part One: Inherent Risk Profile
- Step 4: Complete CAT, Part Two: Cybersecurity Maturity
- Step 5: Interpret and Analyze Assessment Results
These resources are particularly beneficial because they allow organizations to map to elements of NIST by accomplishing the tasks laid out in different parts of the CAT and also demonstrate how the declarative statements in the CAT for maturity levels correspond with the risk management and control expectations outlined in the FFIEC IT Handbook.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
