FFIEC CAT Update: Why It’s Valuable To Your Credit Union, Even If It’s Not Required
It’s been a little more than two years since the initial release of the FFIEC’s Cybersecurity Assessment Tool (CAT), an instrument that was met with both relief and distress from financial institutions. Earlier this spring, the FFIEC published long-awaited revisions to the CAT with two noteworthy changes: a revised CAT Appendix A and the allowance of compensating controls.
Let’s dig into the key updates, address the 500-question elephant in the room, and attempt to reframe a common question, “Do examiners require this tool?”
Appendix A and compensating controls
The biggest update is detailed mapping of the tool’s declarative statements at the baseline maturity level to the applicable FFIEC IT Examination Handbook. While some of the imprecise wording concerns were not addressed, the revised tool rightly raises the cybersecurity review to a higher level in response to more sophisticated hacking incidents.
The FFIEC is also making an active push to update examination handbooks, which have not been updated since the mid-2000s. Expect the Appendix to be updated to align with new or revised handbooks following their release.
The second major improvement is refining the controls to be more clear and accurate. For instance, now you can answer questions in three ways: Y, Y(c), and N. The newly added Y(c) allows institutions to get credit for their compensating controls, which are essentially countermeasures used in lieu of a recommended security control but that offer comparable protection.
We are happy that our clients will get credit for compensating controls, which should give a more accurate picture of the organization’s true cybersecurity position. Be aware that leaning on compensating controls may increase the level of scrutiny from auditors and examiners. Make sure you have strong documentation on these compensatory controls.
Is the tool required?
We hear from our clients that, at more than 500 questions long, the process requires the interaction of almost all areas and departments, and makes the task of completing the CAT daunting. Furthermore, there is much debate and confusion about whether completing the FFIEC CAT tool is required. Officially, it is still voluntary, but at a minimum, financial institutions should be aware of the tool and be prepared to speak to it in their next regulatory exam. We are aware of some credit unions that have been cited via documents of resolution (DOR) for not having completed their CAT.
I hear those concerns, and pose a countering perspective: The comprehensive nature of these questions will push you into seeing issues you may not have considered, which is the whole point: to elevate cybersecurity risk concerns across your institution.
The results can also be used to inform your strategic planning. Talk to your IT committee or senior management to discuss your results and use the information to launch into bigger questions:
- Do we have plans to offer new services that may put us in a higher risk category? Are we compliant in those areas? What will we need to do to meet those requirements and start offering the service?
- Will our current staff need training in these higher areas or will we need to bring in additional personnel?
- If we are offering new services, what will we need to do to protect them?
How we can help
We are passionate about security and can help credit unions advance their cybersecurity position. Our examination will carefully evaluate your IT operations and environment and give you a critical analysis of all of your cybersecurity controls. Our report will describe any gaps, and if applicable, make recommendations on how to bridge these gaps. Together, we’ll help you establish a robust cybersecurity framework.