On October 17, 2016, the Federal Financial Institutions Examination Council (“FFIEC” or the “Council”) released a set of answers to frequently asked questions about its cybersecurity assessment tool (the “CAT”). The FFIEC, an interagency council mandated to prescribe principles and standards for financial institution examinations, released the CAT in 2015 to help companies identify and assess cyber risks by analyzing their inherent risk profiles and institutional capabilities to handle such risks. Since the CAT’s release, the Council—whose voting members include representatives from the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency, the National Credit Union Administration, and the FFIEC’s State Liaison Committee—received a number of questions about the self-assessment tool and compiled answers to them in last week’s release.
First, the FFIEC addresses the rationale for the CAT. The Council notes that cyber-attacks continue to increase and “[m]anagement of financial institutions and management of third-party service providers are primarily responsible for assessing and mitigating their entities’ cybersecurity risk.” Per the Council, the CAT helps companies identify those risks and evaluate overall cybersecurity preparedness. The FFIEC further states that use of the CAT is not mandatory and points out that management “may choose to use the [CAT], or another framework, or another risk assessment process to identify inherent risk and cybersecurity preparedness.” The Council developed the CAT “as a voluntary tool that institution management may use to determine the institution’s inherent risk and cybersecurity preparedness.”
The FFIEC also responds to the question of how the CAT aligns with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The Council states that the NIST Cybersecurity Framework, the FFIEC Information Technology Examination Handbook, and “industry-accepted cybersecurity practices” were used to create the CAT. The FFIEC points out that a mapping of the NIST Cybersecurity Framework to the CAT is available and notes that the NIST “reviewed and provided input on the mapping to ensure consistency with NIST Cybersecurity Framework principles and to highlight the complementary nature of the two resources.” The FFIEC further states that it does not plan to release an automated version of the CAT.
With respect to third parties, the FFIEC confirms that the CAT can be deployed as part of an institution’s oversight of its third party relationships. The Council states that “[m]anagement is responsible for the assessment of the risk associated with the nature, extent and complexity of its institution’s third-party relationships” and “[s]uch assessment includes evaluating the extent to which controls put in place by the institution’s third-party service providers could be considered in the institution’s mitigation of its overall cybersecurity risk, including the cybersecurity risk associated with its use of third-party service providers.”
Finally, the FFIEC notes that its constituent members “plan to update the [CAT] as threats, vulnerabilities and operational environments evolve” and that these updates “may be made to incorporate new and updated regulatory guidance, address any identified gaps or enhancements in the [CAT], add or change declarative statements or incorporate feedback from the industry.”
This additional guidance from the FFIEC will serve as a valuable resource for any financial institution that has deployed or is considering deploying the CAT as part of its cyber controls apparatus. Financial institutions can also contact FFIEC member agencies directly about the CAT or consult with counsel with respect to using it.
