Cybersecurity Assessment Tool: An Update

The FFIEC issued a tool in June of this year to aid financial institutions (FI) in identifying and mitigating cyber risks.  The verdict is still out on whether or not this tool is a requirement, highly recommended or completely optional.  Upon first look at this tool in PDF format, it can appear confusing and cumbersome.  So let’s first break down the pieces of the CAT and then I’ll explain how Traina & Associates can help you with your CAT if you choose to implement this at your FI.

The CAT consists of two parts that are to be completed independently of each other.  After you complete both parts, you can then assess if appropriate controls are in place and, if not, develop a plan to implement the appropriate controls to achieve the desired maturity level. 

Part 1: Inherent Risk Profile

The inherent risk profile (IRP) consists of 39 questions that are to be answered to determine your FI’s overall risk.  Each question has five possible choices which are linked to a risk level (Least, Minimal, Moderate, Significant and Most).  The next step after answering 39 questions is to tally up the results.  Your inherent risk is determined by the risk level with the highest amount of marks.  If there is a tie, it’s recommended to opt for the higher risk level.

Part 2: Cybersecurity Maturity Model

The second part of the CAT is the more arduous portion of the tool.  It consists of 494 declarative statements that you need to check off if true for your FI.  These declarative statements are divided among five domains and each domain further divides these declarative statements into assessment factors and contributing components.  Each drilled down category divides the declarative statements into five maturity levels: Baseline, Evolving, Intermediate, Advanced and Innovative.

Part 3: Analysis

Next you use the chart below to determine your maturity level for each of the five domains based on your inherent risk profile.  You will see that each inherent risk level has multiple maturity levels.  The immediate goal is to meet the minimum maturity level, plus any additional maturity levels below that minimum.  The overall objective after meeting the minimum levels is to ‘mature’ over time and implement additional declarative statements resulting in a robust cybersecurity risk management program.

Inherent Risk and Maturity matrix


Traina & Associates to the Rescue

So are you more confused now than before you started reading? The best way to understand this is to contact us for our free FFIEC cybersecurity assessment tool.   The PDF provided by the FFIEC is not a functional tool but more of an instruction manual.  Our automated tool provides the following benefits.

  • Delivers the inherent risk profile in multiple choice format, which includes options to filter out the questions you have completed.
  • Presents the maturity model in a checkbox format, with room for notes and options to filter out the declarative statements by maturity level and status of completeness.
  • Easy-to-use analysis that calculates your inherent risk and lets you determine the risk level to apply to the maturity model.
  • The ability to print reports of the analysis and declarative statements using multiple filter options.

If you are still apprehensive completing the CAT, Traina & Associates can assist you in completing the tool.  After the initial completion, you can continue utilizing the tool to achieve a higher maturity level as technology and risks change at your FI.