Banking in the Ninth

5 Things - A Nontechnical Approach to Cybersecurity Risk Management and the FFIEC CAT

Safety and Soundness Update - December 2015

Jerome Combs | Supervisory Examiner

Published December 7, 2015  | December 2015 issue

The Federal Financial Institutions Examination Council (FFIEC) released the Cybersecurity Assessment Tool (CAT) in June 2015.1 The banking agencies developed this tool to help institutions identify their cybersecurity risks and determine their preparedness. This article provides a basic overview to the two parts of the CAT and focuses on five data questions that can improve cybersecurity risk management awareness.

A few definitions before I cover the details: Cybersecurity is a subset of information security; the practice of defending data/information (electronic or physical) from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.2 Confidentiality, integrity and availability of data are critical, especially sensitive and private data. Understanding key aspects of managing data helps build effective cybersecurity risk management.


The CAT contains two parts. The first measures an institution’s Inherent Risk Profile while the second helps assess Cybersecurity Maturity. The CAT results help an institution’s board and management determine if cybersecurity inherent risk and preparedness are aligned well and, if not, where additional action may be needed.

The CAT Inherent Risk Profile provides a framework to measure an institution’s operating environment within five categories. The framework provides various examples of products, services or operating considerations within each category. Risk in each category is rated on a five-point scale from least to most risky, depending on the activity level. The five categories include:

  1. Technologies and Connection Types
  2. Delivery Channels
  3. Online/Mobile Products and Technology Services
  4. Organizational Characteristics
  5. External Threats

The Cybersecurity Maturity portion of the CAT identifies a range of controls and activities that help define an institution’s preparedness. Risk management levels are also on a five-point scale, ranging from baseline to innovative. Cybersecurity Maturity includes statements and assessment factors to determine how an institution’s behaviors, practices and processes support cybersecurity preparedness within the following five domains:

  1. Cyber Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. External Dependency Management
  5. Cyber Incident Management and Resilience

Five Questions

The CAT can seem daunting, particularly to community banks. While not a substitute for the CAT, addressing the following five data-related questions can assist management when evaluating the bank’s inherent risk and preparedness. Indeed, there is a strong connection between these simple questions and the CAT, a point I support with specific examples below.

1.   Where are the data?

Knowing where data are located helps to assess what controls are needed. The answer serves to identify where sensitive, private data are located whether data are in motion or at rest. Understanding and addressing the five categories within the Inherent Risk Profile helps an institution to better understand the activities, services and products that influence the movement and locations of sensitive, private data and associated risks and threats.

2.   Who owns the data?

Identifying data owners will help establish ownership, authority, responsibility and accountability over data and related processes, policy, hardware, software, reporting, logging and monitoring. Banks can use the categories of the Inherent Risk Profile to determine where in the organization’s operating environment ownership lies. An institution will begin to align with the baseline level of several Cybersecurity Maturity domains and, maybe at a more sophisticated level, by knowing who owns the data.

3.   What Information Technology (IT) control framework do you believe in?

Cybersecurity controls are more effective when an IT governance and information security control framework is in place. Individual controls are often designed to act together to increase effective protection. A framework is a system of such controls. Frameworks can enable an organization to manage security controls across different types of assets with consistency. Adopting and aligning with a framework can demonstrate preparedness and can help to reduce an organization’s cybersecurity risk characteristics. Several examples are noted in the footnotes to the right.34567

4.   What does “normal” look like?

“Normal” refers to baseline operations of a network. The Inherent Risk Profile helps to identify the strengths or weaknesses of processes that allow an organization to monitor critical IT operations and processes. Knowing what “normal” operating activity looks like using audit, logging and monitoring tools helps to identify unusual or suspicious activity and supports Cybersecurity Maturity.

5.   How do you know?

Threat awareness and processes that provide timely and accurate feedback to management about the implementation of controls and their effectiveness are critical components to preparedness. The Inherent Risk Profile should identify threat awareness activities, feedback mechanisms such as scanning, reporting and monitoring tools and audit controls. Effective implementation of these processes supports cyber risk management and oversight.

Management can begin to more fully understand the institution’s overall cybersecurity inherent risk profile and maturity level in each Cybersecurity Maturity domain by using the CAT and asking and answering the five data questions.


1 FFIEC Cybersecurity Assessment Tool, Overview for Chief Executive Officers and Boards of Directors, June 2015,

2 Wikipedia, September 29, 2015,


4; The CAT is mapped to the NIST Cybersecurity Framework – Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework;