On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT). The update is the first for the tool since its initial release in 2015. While originally released by the FFIEC as an “optional” assessment tool for financial institutions, CAT has sparked controversy because of its application to new regulatory guidance and because of its structure and content. The last announcement regarding the CAT – addressing FAQs for the tool – was released in October 2016.
The 2017 update isn’t the sweeping overhaul financial institutions had been expecting. For example, the Inherent Risk Profile and Cybersecurity Maturity declarative statements remain unchanged. However, the update does include two changes:
Addition of compensating controls. The most significant change to the CAT is the addition of a choice to answer cybersecurity maturity declarative statements with “Yes With Compensating Controls” (Y(C)), as opposed to the previous “Yes” or “No” (Y/N) option. In the updated guidance, the FFIEC defines a compensating control as “a management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.”1 This change transforms the nature of the tool from a basic black-and-white approach to one characterized by a shade of gray.
Appendix mapping update. The other change to the tool is an update to Appendix A, which correlates baseline maturity controls to FFIEC IT booklets. The mapping has been updated to reflect the changes in the new Information Security and Management booklets issued in 2016.
Institutions should review how they’ve answered the declarative statements in the maturity assessment portion of the tool and identify any areas where they may have compensating controls to close previous gaps. Doing so could allow achievement of a higher level of maturity than in prior assessments using the tool.
While the FFIEC now allows compensating controls for the FFIEC CAT, it’s not yet known how this update affects other CAT-related guidance such as InTREx. While it might be OK to answer “Yes With Compensating Controls” for this assessment, it may not be appropriate for other assessments or examinations.
1 Cybersecurity Assessment Tool, Federal Financial Institutions Examination Council, May 2017, p. 8,https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.