5 Steps to Ace the FFIEC Assessment

November 12, 2019

Financial institutions are a rich target for cybercriminals, who scoop up sensitive personal information that allows them to open fake accounts and fraudulent lines of credit. Such misappropriated funds cost financial firms millions of dollars annually.

In just one recent example, a hacker breached Capital One and accessed around 100 million credit card applications and accounts. The data included 140,000 Social Security numbers, a million Canadian Social Insurance numbers and 80,000 bank account numbers, along with names, addresses, credit scores, and other private and sensitive information.

old building with ‘Bank’ written above a column

According to research from services firm Accenture and the Ponemon Institute, there are 125 security breaches in the financial services industry each year, and the average annualized cost of cybercrime to financial institutions exceeds $18 million dollars. No surprise then that the US Office of Financial Research (OFR) rates cybersecurity as a key risk in its latest annual report that assesses the state of the US financial system.

In response to high threat levels, the Federal Financial Institution Examination Council (FFIEC) has provided firms with a Cybersecurity Assessment Tool (CAT), a framework to assess a financial institution's cybersecurity preparedness. It has quickly become a standard baseline to assess the cybersecurity maturity of financial firms.

The FFIEC requires all companies under its purview to complete a robust assessment program. Using the one the council provides is not required but makes good sense.

How to Pass the FFIEC Assessment

Step 1: Get the Whole Firm Involved

CAT is a comprehensive assessment of every aspect of cybersecurity. Part One helps evaluate the organization's inherent risk profile based on five risk areas:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

A single department can't cover each element across the full 59-page assessment. Engage key personnel across all departments to create a comprehensive and accurate view of the institution.

Step 2: Evaluate Cybersecurity Maturity in Five Domains

The assessment is a major undertaking. Part Two involves assessing the organization's maturity in five cybersecurity domains:

  • Cyber risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management
  • Cyber incident management and resilience

With that information in hand, organizations should analyze their security gaps and improve their compliance process.

Step 3: Reassess Your Risk Profile and Maturity

Organizations that do well using CAT to achieve a mature cybersecurity assessment may feel that keeping things as-is will suffice the following year. All too often, that's not the case. In areas where a company did well one year, they may not pass the assessment the year following.

The FFIEC expects management to review the company's inherent risk profile in relation to its cybersecurity maturity results for each of the five domains to gauge their alignment. Profile and maturity levels typically change over time as threats, vulnerabilities, and operational environments change. That means you need to constantly re-evaluate in light of new threats, new products or services, and new connections.

Financial advisor meeting with a couple

Step 4: Take Full Advantage of the Diagnostic Power of CAT

CAT offers organizations the opportunity to answer key questions about their cybersecurity, which they can then address. These include:

  • Is the institution a direct target of attacks?
  • Does the institution's cybersecurity preparedness receive an appropriate level of time and attention from executive management or an appropriate board committee?
  • What is the ongoing process for gathering, monitoring, analyzing, and reporting risks?
  • Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology?
  • What third parties does the institution rely on to support critical activities?
  • What is the process to oversee third parties and to understand their inherent risks and cybersecurity maturity?

Step 5: Use CAT to Inform Your Cybersecurity Strategy

CAT is not just an assessment—it's a framework to help firms improve their resilience and ward off attacks. Where the maturity levels don't match the inherent risk profile, you can develop a strategy for getting a better score next time, which, of course, also helps protect the institution. The FFIEC recommends that firms:

  • Determine target maturity levels
  • Conduct a gap analysis
  • Prioritize and plan actions
  • Implement changes
  • Re-evaluate over time
  • Communicate the results

Use the business objectives and risk appetite of your organization to set the target levels. And learn more here about the specific ways Arctic Wolf can help you address and meet the FFIEC requirements.

Additional Resources


Previous Video
2020 Cybersecurity Trends
2020 Cybersecurity Trends

Understand the biggest issues organizations are facing today—and what strategies can help overcome them to ...

Next Article
How FS-ISAC Threat Intelligence Ramps Up Financial Services Security
How FS-ISAC Threat Intelligence Ramps Up Financial Services Security