This past month the FFIEC issued a statement to provide clarification on several questions the FFIEC recieved for the Cybersecurity Assessment Tool (CAT).
Since the release of the CAT and with the statement issued last month, I have recieved numerous questions from clients that I wanted to share with you to provide you insight on its value and use to your management team. So, here are our FAQs:
Does a financial institution have to use the CAT?
No, the CAT is an optional tool. Other tools, risk assessments, or frameworks may be used to identify cyber risks and preparedness such as NIST or CRR.
What is the value of the CAT to management?
The CAT's main value lies in identifying factors contributing to the institution's overall cyber risk. The tool also assesses and evaluates an institution's cybersecurity preparedness. Management can also leverage the tool to determine risk management practicies and controls that are needed to strengthen an institutions cyber resilience.
How does the CAT align with the NIST Cybersecurity Framework?
The best way to see how they align is by viewing the mapping of the NIST Cybersecurity Framework to the Assessment included as Appendix B of the Assessment.
Can the CAT be used as part the financial institution’s oversight of third parties?
Yes. The CAT may be used as a resource for the oversight of third parties as part of the institution’s third-party management program.
How does a financial institution account for controls in the CAT implemented by a third-party service provider?
Management may consider adding a statement in all domains that are managed by a third-party service provider. For example, “Domain 4: External Dependency”. Management provides a structure to evaluate the institution’s oversight of third-party service providers.