Pub. 11 2022 Issue 5

Cybersecurity Assessment: Do I Have To?

Since the beginning of the pandemic, I have had numerous online conversations with customers. Frequently, everyday life intersects with these conversations. Moms and dads are working from home while simultaneously serving as teachers and caregivers in the process. It is not unusual to hear children crying in the background, asking the age-old question, “Do I have to?”

I sometimes find myself asking that same question as I work with customers to complete their Cybersecurity Assessment Tool (CAT). Even though the FFIEC states that completion of the CAT is not “required,” the more practical answer depends on whom you ask.

The Right Tool for the Job
Completing a cybersecurity assessment using the CAT is not technically an absolute requirement. However, the CAT does serve as a valuable tool. It allows an institution to gauge its position from an inherent risk perspective and how both existing and future controls influence its cybersecurity maturity. The FFIEC’s Information Security Booklet states:

“The level at which controls are implemented should depend on the institution’s size, complexity, and risk profile, but all institutions should implement appropriate controls. In light of increasing cybersecurity risks, management should implement risk-based controls for managing cybersecurity threats
and vulnerabilities.”

The tool was developed to provide a repeatable and measurable process for financial institutions to assess and develop their cybersecurity control preparedness over time.

Risk assessments have always been considered foundational in information security. To build on that premise, I believe cybersecurity assessments can be considered framing. The CAT includes references to various components of an information security/cybersecurity program, including:

  • Risk Assessments
  • Policies, Standards, and Guidelines
  • Business Continuity and Disaster Recovery
  • Vendor Management
  • Incident Management

In fact, I have spoken with some examiners who characterize the CAT as a kind of risk assessment. In the Cybersecurity Assessment Tool FAQ, the FFIEC states:

“Institution management may choose to use the Assessment, or another framework, or another risk assessment process to identify inherent risk and cybersecurity preparedness.”

Evolving Maturity
If you do not understand your institution’s various levels of risk and maturity today, how can you hope to make improvements as cybersecurity risk increases over time?

My answer is the FFIEC’s Cybersecurity Assessment Tool.

I like how the declarative statements (questions) are structured to advance your control maturity.

I appreciate the terminology used throughout the assessment, such as “enterprise-wide” and “resiliency.” Terms like these communicate the CAT’s intent to help you assess and improve your entire organization’s cyber maturity.

Now and In the Future
I always stress the importance of keeping the information security program fresh by conducting updates at least annually — and often sooner — if a significant change has occurred. The CAT provides a framework to guide you through that process.

So, how to answer the original question, “Do I have to?” Is completing the Cybersecurity Assessment (CAT) at least annually a requirement? Technically, no. However, this self-assessment does provide a valuable mechanism for quantifying your cyber risk and maturity in a repeatable fashion. It also allows you to provide measurable results about your cybersecurity program’s current and future state to management, auditors, and examiners.

CoNetrix has developed an online software tool to help financial institutions such as banks, credit unions, mortgage companies, and trust companies complete and report on the FFIEC Cybersecurity Assessment Tool. Request access and learn more at:

Troy Sell has more than 40 years of professional IT experience, and much of that time was focused on mainframe technology. His background includes experience in higher education and the health care industry. During the last nine years, Troy has developed his information security/consulting skills and today assists with creating, developing, and maintaining information security programs. Additionally, Troy helps financial customers develop new ISO processes and oversight activities.