FFIEC Cybersecurity Assessment Tool

Home
What we do

Technology
Powering the future of wealth with enterprise platform solutions that address complex business challenges.

Operations
Achieving operational excellence with business process outsourcing and data management that help clients improve efficiency and performance.

Asset management
Connecting investors to what matters most, so they can achieve their goals and make confident decisions.

Featured
Who we serve

RIAs and financial advisors

Wealth and asset managers

Banks and broker-dealer advisors

Institutional investors

Families and individuals

Featured
Insights

Insights
Perspectives and happenings from our leaders and experts

Newsroom
The latest news and announcements

Featured
Investor relations

Overview
The latest financial information for shareholders

Events and webcasts
Timely shareholder announcements and event information

Governance

Reports and filings

Stock information

Board diversity matrix

Featured
About us

Our story
Who we are, what we do, and how we do it.

Our commitment
Building brave futures through the power of connection.

Our leadership team

Newsroom

Locations

Careers

September 21, 2022

3 MIN READ

What is the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool (CAT) is a method used to measure a financial institution’s cybersecurity risk and preparedness over time. While the primary guidance is for national banks, community banks, and credit unions of all sizes, it can also be helpful for non-depository institutions.

The CAT is composed of controls across various maturity levels and approximately 30% of those controls relate to the National Institute of Standards and Technology’s (NIST) cybersecurity framework.

How does the CAT work?

After obtaining the assessment, users select the most appropriate risk level across hundreds of controls under the inherent risk profile. Cybersecurity maturity is determined based on the selected declarative statements for each assessment factor. As a result, the CAT provides users with measurable and repeatable processes by combining responses from part one and two in the assessment.

Cyber risk and maturity defined

Part 1: Inherent risk profile is the level of risk posed to your institution by:

Technologies and connection types
Delivery channels
Online/mobile products and technology services
Organizational characteristics
External threats

Part 2: Cybersecurity maturity measures your level of risk and corresponding controls.

This includes controls to determine whether your institution’s processes support cybersecurity preparedness within five domains:

Domain 1: Cyber risk management and oversight
Domain 2: Threat intelligence and collaboration
Domain 3: Cybersecurity controls
Domain 4: External dependency management
Domain 5: Cyber incident management and resilience

How often should you complete the assessment?

Auditors increasingly request institutions to complete the assessment to demonstrate compliance, making CAT widely used across financial services. It’s best practice to conduct the assessment annually to help institutions with cybersecurity strategy and business growth, and to keep them up to date on controls.

Finding the right cybersecurity partner

Completing the CAT is not a simple task. It may pose as a burden for IT and risk professionals so when working with cybersecurity partners, it is crucial the partner selected can do the following:

Help provide responses based on the cybersecurity program they have implemented for your organization
Improve your organization’s risk posture
Prove their firm also has a mature cybersecurity program in place

Inheriting SEI’s maturity

Over two decades ago, SEI built a cybersecurity program to protect its own assets. As a highly regulated financial institution, audits are an ongoing process and an investment in cybersecurity is a priority. We realized financial services firms deserve a highly secured program to protect themselves and their clients from threat actors.

The cybersecurity program and protection we provide to our clients is the same level of protection we use for ourselves, ultimately, allowing our clients to inherit our maturity and experience.

Example of how a firm inherits SEI’s maturity
Domain	Assessment Factor	Component	Maturity Level	Mapping Number	Declarative Statement
2:Threat Intelligence & Collaboration	1: Threat Intelligence	1: Threat Intelligence & Information	Innovative	D2.TI.Ti.Inn.2	The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared.
2:Threat Intelligence & Collaboration	2: Monitoring & Analyzing	1: Monitoring and Analyzing	Innovative	D2.MA.Ma.Inn.1	The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends.
2:Threat Intelligence & Collaboration	2: Monitoring & Analyzing	1: Monitoring and Analyzing	Innovative	D2.Ma.Ma.Inn.2	Highest risk scenarios are used to predict threats against specific business targets.
3: Cybersecurity Controls	2: Detective Controls	3: Event Detection	Innovative	D3.Dc.Ev.Inn.1	The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur.