The FFIEC CAT sunset means financial institutions must select and implement a new cybersecurity assessment framework. Strengthen and add strategic value to your cybersecurity posture with these considerations when choosing your next cyber assessment tool.
With the sunset of the Federal Financial Institutions Examination Council cybersecurity assessment tool (FFIEC CAT), supervised financial institutions should be thinking about identifying and implementing a new cybersecurity framework. This not only ensures your institution is complying with regulatory requirements and that your cybersecurity posture is robust; selecting the right framework for your bank or credit union also can add strategic value.
The selection process is important and time-sensitive. (Just think back to how long it took to complete the CAT the first time.) If you haven’t begun the process to identify an alternate framework, you’ll want to start early to pace the work. The transition effort is significant, and it includes educating your executive committee and board. We share several factors to weigh when considering your next cyber assessment tool.
Why is the FFIEC CAT sunsetting?
Since its release in 2015, the CAT has had no major updates, while the cybersecurity landscape has evolved considerably. New threats have emerged, along with new cybersecurity assessment tools and frameworks to combat them. The FFIEC likely recognized that maintaining the CAT would be less effective than recommending institutions transition to more current and comprehensive frameworks.
Credit unions should note that the National Credit Union Administration (NCUA) will continue to support its version of the CAT, the automated cybersecurity evaluation toolbox (ACET), although the NCUA too may decide to sunset this framework in the future.
Risks and opportunities when selecting a new cyber assessment tool
In its statement about the CAT sunset, FFIEC doesn’t endorse any specific alternate tool and instead suggests four options. Don’t underestimate the importance of choosing wisely.
Without carefully weighing the four tools — as well as others that banks and credit unions are free to use — your institution risks buckling itself into a framework that doesn’t align with your needs and goals. Sure, you can dust it off once a year and confirm you’ve passed the controls, but that approach won’t provide much value in terms of guiding your strategy longer term.
Without carefully weighing the tools — your institution risks buckling itself into a framework that doesn’t align with your needs and goals.
When the CAT was introduced, the intent behind it was in part aspirational. The CAT helped set organizations up to look beyond their immediate ecosystem, size, and asset class to consider the practices and controls of larger institutions with more mature cybersecurity postures. Now, as your financial institution thinks about transitioning to a new framework, you have an opportunity both to check the boxes on your well-operating controls and to select a tool that will help spark ideas for your future state.
Evaluating alternative cybersecurity frameworks
Financial institutions may already be familiar with the four alternative cyber frameworks FFIEC lists. Over the years, a growing number of organizations have adopted frameworks other than CAT.
NIST Cybersecurity Framework 2.0: Widely recognized, this framework offers a comprehensive set of controls with 135 outcome descriptions. It serves as the foundation for many tools, some of which have added functionalities. Management teams with experience using NIST from previous experience in other industries might appreciate and feel at home with the NIST CSF 2.0. Additional columns in the tool are useful for prompting discussions on key concepts like priorities, current responsibilities, and supporting evidence tied to each CSF outcome. Even for institutions that prefer not to use the NIST CSF, these can be good topics to bring over to other tools to help prompt similar valuable conversations.
Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals: This framework provides a high-level breakdown of control categories with 38 security practices, categorized by cost, impact, and complexity. Sector-specific goals have been issued for energy and healthcare. A financial sector-specific version is expected, although financial institutions can also use sector-agnostic tools to similar effect. For organizations that prefer the ability to add heavier levels of their own subjectivity, this option may be well suited. With only 38 security practices to respond to, it allows management to add its own level of interpretation and focus — and to support those decisions in future discussions with examiners.
Cyber Risk Institute (CRI) Profile 2.0: This tool maps to several important frameworks, including FFIEC and New York Department of Financial Services (NYDFS) . It features a four-tier maturity model, with most institutions likely falling into the lowest tier, which includes 208 diagnostic statements. The CRI Profile 2.0 also has built-in mappings to FFIEC CAT, FFIEC handbooks, NYDFS, and other regulations. If management prefers the logic of any of those existing frameworks, either CISA CSC or CRI Profile 2.0 should help with the transition. The CRI tool also offers built-in considerations to identify controls that have been assessed and those that have not, helping to sync internal self-assessment efforts with audit efforts. With the lengthiest list of controls, this framework may be preferred by teams looking for more prescriptive comments to tie into strategic plan to-do lists.
Center for Internet Security (CIS) Critical Security Controls: This framework breaks controls into three implementation groups, allowing institutions to start with a baseline comparison and gradually move up. However, it doesn’t include an inherent risk assessment, so additional judgment calls may be required. The framework offers multiple tiers of controls to implement, a concept that will be familiar from CAT. If management appreciates an externally defined list for prioritizing implementation of controls, the CIS CSC tool might warrant a closer look. Additionally, the CIS CSC Navigator offers functionality to map controls to NIST, CISA, CRI, CAT, and a variety of other tools.
And remember that you’re not limited to one of these four. Without a set script or list of defined selection criteria, you’ll want to consider your institution’s experience, maturity level, management style and culture, objectives, and other priorities.
Defining maturity and communicating cyber framework decisions
One useful aspect of the CAT was the set-up of the inherent risk profile, which helped institutions identify their risk tier and provided specifics to help increase the maturity of controls. For the most part, these four potential CAT replacements don’t have that same built-in maturity concept. This opens the door for management to define its own maturity levels for the institution — and ideally to set the stage for guiding strategic decisions for years to come.
Management certainly has the option to respond “yes” to each control in the first assessment, which could be efficient but ultimately simplifies the process into a check-the-box exercise. Where management is able to assess controls as not in place, ad hoc, effective, or highly effective, those nuanced comments will more likely help drive the intended benefit of the framework you adopt.
Is your management team self-aware, conservative in its grading, and able to fill in gaps, or does it prefer a more prescriptive approach? While neither is necessarily better, it helps to assess your organization’s culture and management style to guide decisions as you research alternatives. Start communicating early to your executive committee and board so they understand the decision-making process and the new benchmarks — and how they connect to your security policies, culture, and strategic plan.
Is your management team self-aware, conservative in its grading, and able to fill in gaps, or does it prefer a more prescriptive approach?
Don’t underestimate the extent of this change
All of these frameworks and supporting resources are easy to access and tour. Review their expectations to aid your decision. Seize the opportunity: Consider selecting a framework that aligns with the maturity of your cybersecurity program and is realistic and attainable for your institution — Choosing a tool that provides some lightbulb, “we could do that in our bank” moments helps you build out your strategic plan and budget, encourage greater maturity, and continually strengthen your cybersecurity posture.
