On Wednesday, May 31st, the FFIEC sent out a press release announcing updates to its Cybersecurity Assessment Tool (CAT), which has not been updated since its initial release on June 30th, 2015. On the morning of Thursday, June 1st, an updated CAT was revealed to the financial industry.
The good news is that the CAT 1.1 updates are not massive or wholesale, but rather necessary and welcomed. There are three (3) important items about the CAT update that you should know:
- No material changes have been made to the content of the CAT
- The FFIEC has added a consistent, third option to answering the Cybersecurity Maturity Declarative Statements
- Appendix A: Mapping Baseline Statements to the FFIEC IT Handbook has been updated
No Material Changes to the Content of CAT
First and foremost, analysis of FFIEC’s Cybersecurity Assessment Tool text – including all 59 pages of the User’s Guide, Inherent Risk Profile, and Cybersecurity Maturity sections – show there are no material changes to the content. Aside from an additional statement regarding the new response option in the Cybersecurity Maturity section (page 8), all of the content has remained the same, including all 39 Inherent Risk Profile questions and all 498 Cybersecurity Maturity Declarative Statements. No new questions or statements have been added, none subtracted, and no alterations made to the content for clarity or expansion.
Yes with Compensating Controls
The most significant of the updates is the addition of the third option for answering Cybersecurity Maturity Declarative Statements, the “Yes with compensating Controls” option. Previously, there were two (2) options for answering Declarative Statements: Yes and No. A few statements also have an “N/A” option. The intention of the “Yes with Compensating Controls” option is to allow the institution the ability to meet the requirements of the Declarative Statement indirectly with other security measures controls, just not the Statement specifically listed. Really, it's a “No, but…” option.
To use the “Yes with Compensating Controls” option, the user of the CAT will have to provide additional narrative or a listing of the other controls the institution has implemented that meet the intention of the Declarative Statement. This new option provides CAT users with a way to either accept the risk of not implementing a Declarative Statement or meet Declarative Statement requirements they were unable to meet previously without the N/A option.
The good news around the “Yes with Compensating Controls” option is that it provides a level of flexibility that the CAT did not previously allow. The only downside: you’ll have to re-evaluate the 498 Cybersecurity Maturity Declarative Statements to see which Statements you need to answer differently.
Updates to FFIEC IT Handbook Mappings
The second significant update to the CAT is found in Appendix A: Mapping Baseline Statements to the FFIEC IT Handbook. FFIEC guidance has received numerous updates over the past two years since the original CAT was released, and the mappings to previous guidance were no longer applicable. The updates to Appendix A, which include mappings to the updated FFIEC IT Management and Information Security booklets, solve that issue.
Unfortunately, while the FFIEC updated Appendix A with new mappings, the actual Declarative Statements in the Cybersecurity Maturity section were neglected, and the old mappings in the text of by Cybersecurity Maturity section remain.
What Does This Mean For The Future?
The update to CAT has been expected for some time now, and the “Yes with Compensating Controls” option is a welcome addition, many in the financial industry expected changes to the content as well. Clarity and additional questions or statements are still needed to allow CAT users to more accurately depict their Inherent Risk and Cybersecurity Maturity profiles.
Best guess? The CAT update is more likely a needed update to functionality, and an additional update to content will come at a future date. The expiration date for this updated version of the CAT, which is listed on the document’s cover page, does read August 31, 2019. However, that doesn’t explicitly mean anything, since the original expiration date for CAT 1.0 was December 31, 2015.
For now, review your current CAT answers with the new “Yes with Compensating Controls” option and see how your maturity levels change. Compare your updated Cybersecurity Maturity levels to the results from CAT 1.0, and report these updates to your IT Committee and Board of Directors. Determine if you need to adjust either your current levels of acceptable risk or your goals for future Cybersecurity Maturity, and keep working to mitigate future risk.
Hot Topic Webinar - FFIEC CAT Update Released!
Presented in partnership with GSB
Date: June 9, 2017
Time: 10:00 - 11:00 a.m. CT
SBS Instructor: Chad Knutson
Learn more: http://gsb.virtualvenues.com/store/208597-ffiec-cat-update-released-fa17
How SBS Can Help
SBS CyberSecurity has developed a free, easy-to-use Cybersecurity Assessment Tool, called Cyber-RISK, that aligns directly with the FFIEC CAT. Cyber-RISK allows you to quickly and easily answer Cybersecurity Assessment Tool questions, set Risk Appetites and Goals, and quickly generate reports that you can provide to your IT Committee and Board of Directors.
SBS is currently working quickly to update Cyber-RISK with the new “Yes with Compensating Controls” option, but you can already add comments regarding compensating controls each Declarative Statement in the Cybersecurity Maturity section. Mappings to new FFIEC guidance will be completed soon as well. Stay tuned!
If you are interested in more information or a deeper-dive into the Cybersecurity Assessment Tool, the SBS Institute offers a banking-specific, role-based Certified Banking Cybersecurity Manager (CBCM) certification program. The CBCM is designed to make you an expert in all things Cybersecurity Assessment Tool related, from policy to the CAT to reporting upstream.
For additional information security updates or assistance with anything information security related, please contact us and let us know how we can help!
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.