The FFIEC’s Cybersecurity Assessment Tool (CAT) is crucial for compliance, and the IT Regulatory Compliance group always likes to cover it. Since the 2015 release of the CAT, I have noticed a trend that I believe is worth sharing. I have spoken with financial institutions (FIs) that have recently experienced personnel changes – such as new Network Administrators or new Information Security Officers. I like to ask if the new contact knows that the CAT has been updated, and often the answer is no. Or, as is often the case with the shuffle of personnel, the new hire does not know where to even find the most recent CAT, much less know whether it has been updated.
Creating a CAT Crew
When it comes to completing the CAT, the ITRC group has encouraged FIs to approach it as a team effort. It’s a massive document that covers many different areas. Assembling a team to complete and update the CAT is incredibly beneficial. Not only does this make the process much easier, but you benefit from the varied expertise each team member brings to the table. One person may be more knowledgeable on the technical declarative statements while another is more knowledgeable on incident response and disaster recovery/business continuity planning.
Using a team approach allows for a more accurate CAT, giving you a better picture of how your risk and maturity levels align. And frankly, having a team dedicated to the CAT is just good succession planning. This way, if a Network Administrator or Information Security Officer leaves, there are other personnel who not only know where to find the CAT but are also aware of its latest status.
Brand New Vignettes
While we are talking about teamwork and cybersecurity, I also want to highlight the new cybersecurity vignettes released by the FDIC on October 19 (FIL-63-2018). There are now nine vignettes and challenge questions available, covering topics such as phishing, DDoS attacks, ransomware, and supply chain attacks. These vignettes present excellent opportunities to discuss how you would respond. While using these vignettes with the incident response team is the most obvious scenario, they can prove beneficial with other audiences as well. For example, consider presenting them to your board of directors and senior management personnel. Different functional areas within your FI could present further opportunities for discussion and shared insights on potential risks and mitigating strategies.
Share the LoadCybersecurity impacts all your employees, not just the IT department. Effective cybersecurity is the responsibility of each employee, from the top down. FIs that can ensure that all employees are aware of the role they play are better positioned to achieve and maintain appropriate levels of cybersecurity maturity. Using the team approach does not just make the process of cybersecurity easier, it also makes the institution more secure and resilient.