Page 6 - Fall 2024_Neat
P. 6
FFIEC Cybersecurity Assessment Tool:
Sunset or Dawn of a New Day?
BY JASON CORDER
• Cyber Risk Institute
It’s official – the FFIEC Cybersecurity Assessment Tool, also
Cyber Profile
known as the CAT, is leaving the building. In August 2024, the
FFIEC issued its CAT Sunset Statement on behalf of its members, • Center for Internet
noting a sunset date of August 31, 2025. This announcement Security Controls
seems long overdue, as the CAT was last updated in May 2017 A cybersecurity controls
and arguably provides little in the way of actionable information framework is a risk-based
for community banks, a sentiment that dates back to when it approach to reducing
was first released in 2015. For example, knowing that a bank cybersecurity risk. A
has a cybersecurity maturity level of “Baseline” in “Strategy/
framework can provide a
Policies” under “Cyber Risk Management and Oversight” structured way of
probably provides little help for executive management in developing and maintaining
determining whether additional action is needed to address
an effective cybersecurity
cybersecurity strategy- or policy-related shortcomings. The CAT posture. Though banks may
also includes a process for identifying an inherent risk profile,
not be required to officially Jason Corder is a Senior Vice
but the “one size fits all financial institutions” approach results adopt a framework at this President with Sawyers & Jacobs
in an ill-fitting outfit for everyone.
time, it may be helpful for LLC, a consulting firm focused on
The CAT does provide a useful standard in that it allows bankers bank management to begin serving financial institutions.
Sawyers & Jacobs is an ACB
to know what the bank examiners are expecting concerning the having discussions about Associate Member. Jason may be
assessment of cybersecurity risks. Community banks are not how cybersecurity risk will reached at 901-828-1942 or
officially required to complete the CAT; however, examiners be appropriately measured jcorder@sawyersjacobs.com.
seem very comfortable with it and generally expect to see a and mitigated after the CAT
completed version. When banks have failed to complete the rides off into the sunset. A cybersecurity framework may be an
CAT, even if a tailored, threat-based cybersecurity risk effective way to do this. At a minimum, bankers should be
assessment has been completed instead, it has often resulted in prepared for examiners to discuss cybersecurity frameworks
criticism or extra discussion from the regulators. So, even if for during the upcoming examination cycles.
that reason alone, most banks seem to have decided that The retirement of the CAT means that other methods of
completing the CAT is worth the effort.
cybersecurity risk assessment and risk management will be
The question is: what now? Banks still need to measure, necessary. Documenting a bank’s controls within a
monitor, and mitigate cybersecurity risk. How will banks do this cybersecurity framework structure may be a valuable way to
in the post-CAT world? strengthen the financial institution’s overall cybersecurity. At
the very least, choosing to follow one of the standardized tools
The CAT Sunset Statement offers some guidance in this area by
listed above can allow a bank to align its control efforts with an
remarking that “while the FFIEC does not endorse any particular
established framework while also addressing regulatory
tool, these standardized tools can assist financial institutions in expectations.
their self-assessment activities.” The statement then lists
several cybersecurity frameworks and cybersecurity controls
resources, including:
• NIST Cybersecurity Framework 2.0
• CISA Cybersecurity Performance Goals | CISA
• Cybersecurity Performance Goals: Sector-Specific Goals |
CISA
A RKANSAS | 6 | Fall 2024
COMMUNITY BANKER
