While some financial industry professionals find flaws with the FFIEC Cybersecurity Assessment Tool, others argue that it is a valuable resource that can help financial institutions (FIs) identify critical gaps in their security postures. I’m in favor of the CAT and am encouraged to see so much interest in it, as the dialogue will only help make the tool stronger going forward.
Some complaints about the CAT coming from detractors include:
- The tool is very large and time consuming
- There should be a second release with bank-specific recommendations
- The CAT should align more closely with the NIST Cyber Security Framework
- Examiners should not question a bank about performing the assessment because it is meant to be “voluntary”
I have some thoughts about these criticisms that are worth financial institutions’ attention. First, if the CAT were simple, it would not be very useful or provide accurate and detailed feedback. Yes, it takes time to complete, but I suggest working smarter (not harder) by automating responses using existing security solutions. Banks are already required to have layered security so they can gear their tools’ automation and reporting to meet the CAT’s recommendations.
Look at “Domain Three” (Cybersecurity Controls), for example. This domain is explicitly about your security control stack aimed at prevention, detection, and response. It will be clear to the risk officer that the FI needs a solution to attain those controls and, as your solution vendors provide more automation, you can be more innovative and expend fewer resources.
I also take issue with the complaint about examiners asking FIs if they have completed the assessment, because it’s actually meant to be voluntary. If the FFIEC advises banks to use the CAT, it’s for good reason and not because it’s a useful educational exercise. Clearly, the FFIEC has found major gaps in cyber security approaches and has developed the tool to help fill them. I can’t understand why FIs would want to wait until there is a mandate to begin to assess their security posture.
Another recent article suggests the CAT should do everything for you and be able to assess your unique organizational needs because, as we all know, one tool can be tailored to everyone without customization (that was sarcasm by the way).
Some notable complaints highlighted in that article include:
- “The tool feels more like a ‘checkbox’ exercise than an interactive assessment tool.”
- “Some questions are difficult to answer because you may do some things for a particular question but not others.”
- “You have to weigh your response to either a ‘yes’ or a ‘no.’ Those types of questions require more follow-up and explanation for internal and external audiences to understand the scope with which you do or don’t do certain things.”
Here’s my rant on those statements:
- The tool is a baseline and it’s up to the individual organization to identify its risk appetite and establish its desired level of maturity. The FFIEC cannot spell that out for each FI, so the CAT helps FIs level set risks versus controls and determine areas for improvement.
- If the question is not applicable to your organization, take it out of the assessment and explain why on a documented exception sheet.
- The questions are aimed to achieve certain levels of maturity; the higher the maturity level the more security controls are required. That being said, if you have partial coverage of the next highest maturity level but still need to address some areas, that’s okay. Notate what you have and include what you don’t in a management risk acceptance statement.
Instead of complaints, I’d rather see the development of a shared resource forum for implementing the CAT and fine tuning it toward your FI. The tool is not meant to be easy; it’s meant to be continually updated with timely and accurate information about your risks and what you have in place as a control to mitigate them. It’s a visually representative tool of your security posture.
Using the CAT for guidance, FI management can provide the board with their risk posture and implement the necessary steps toward becoming innovative. To do it right, you have to be able to assemble the right people and information flow, and continuously assess the security of your environment. The CAT is not meant to be another regulation. I would argue that it’s actually a means to help reduce the number of examinations if FIs start implementing positive security and becoming aggressive about filling the gaps.