We occasionally receive the question, "How often should you complete the FFIEC Cybersecurity Assessment Tool (CAT)?" The short answer: It depends. In this article, we will review five things "it depends" on.
#1: The CAT itself may not be required.
According to the CAT Frequently Asked Questions document, "use of the Assessment by institutions is voluntary. Institution management may choose to use the Assessment, or another framework, or another risk assessment process to identify inherent risk and cybersecurity preparedness."
As its name implies, the CAT is designed to be a tool. If the organization is assessing its risk and maturity in another way, the CAT may not be required. That's not to devalue the CAT in any way, as there are distinct benefits to using this specific tool. According to the FFIEC, the CAT was designed to provide "institutions with a repeatable and measurable process to inform management of their institution's risks and cybersecurity preparedness." Using a tool designed specifically for financial institutions by industry leaders makes it a tool worth considering, even if it is not "required."
#2: Risk management and controls are required to be reported annually.
While completing the CAT may not be a requirement, the Interagency Guidelines Establishing Information Security Standards do require financial institutions to report on the status of the information security program "at least annually." The report is expected to include details regarding "risk management and control decisions," both of which are at the heart of the CAT. One benefit of the CAT is it provides a standardized way to report inherent risk and control maturity and can be easily leveraged in the annual report.
#3: The CAT can be used to plan for growth.
The Interagency Guidelines require the annual report to include "recommendations for changes in the information security program." One of the benefits of the CAT is it provides a visible plan for growth with its maturity scale. Institutions can use the results to demonstrate which areas are mature and which areas might need to be improved. Software solutions, such as Tandem Cybersecurity, offer the ability to generate reports to show the current state of maturity and help institutions plan for the next year.
#4: The CAT can become outdated if not regularly reviewed.
If your organization has previously completed the CAT, it is important to implement a review process to ensure the information remains accurate. As environments change, risk can also change, therefore our evaluation and documentation should keep pace. According to the FFIEC, "management should consider reevaluating the institution's inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile." As such, it is best practice to review the assessment on a regular basis. Tandem Cybersecurity (Pro) can simplify this process by allowing you to copy the previous assessment, make changes to the new version, and download comparison reporting to highlight the differences.
#5: The CAT may be requested during examinations.
The InTREx Work Program states that while financial institutions are not required to use the CAT, examiners will reference the CAT's Appendix A when performing exams. Appendix A is a mapping of how each CAT baseline statement corresponds with the risk management and control expectations outlined in the FFIEC IT Examination Handbook. InTREx also asks examiners to determine if "the institution assessed its cybersecurity risk and preparedness in the last 12 months using FFIEC CAT, FSSCC Profile, NIST or any other assessment tool?" With that in mind, while you do not have to use the CAT, it is on the list of ideal tools.
In 2018-2020 the NCUA used the ACET (Automated Cybersecurity Examination Tool) in their IT exams to "benchmark" all credit unions. The ACET is a spreadsheet built around the CAT questionnaire with some additional examination elements. The NCUA is now piloting the InTREx-CU work program and they continue to encourage credit unions to use the CAT as a self-assessment tool. Credit unions are welcome to continue using the ACET spreadsheet to complete the CAT. For additional information, see our blog: How InTREx-CU Will Affect Your 2022 NCUA Exam.
What this means is examiners are familiar with the CAT and some do use it to supplement their examination process. Ask your examiner about their expectations and update your completed CAT accordingly.
While there is no "regulation" or "law" that requires financial institutions to complete the Cybersecurity Assessment Tool (CAT) on a specific frequency, there are industry expectations and best practices which indicate financial institutions should assess their cybersecurity risk and preparedness on, at least, an annual basis. The CAT is one way of doing this. If your organization chooses to complete the CAT, keep it up to date with at least an annual review, and more frequently when business processes change or prior to an examination. For additional resources and options for completing the CAT, visit Tandem.App/Cybersecurity-Assessment-Tool-FFIEC.