FFIEC Cybersecurity Assessment Tool:
A tool that helps institutions identify their risks and determine their cybersecurity preparedness. The FFIEC states the use of the Tool is voluntary, however each regulator has different expectations of an institution’s use of the tool.
Is it Required?
Here’s what the agencies have to say:
OCC – In a letter to the Government Accountability Office, Comptroller Curry stated, “[w]e expect to begin using this Cybersecurity Assessment Tool in selected examinations that commence during the fourth quarter of 2015.” On June 30, 2015, the OCC stated that it intends for OCC Examiners to “gradually incorporate the Assessment [CAT] into examinations of national banks, federal savings association, and federal branch and agencies (collectively, banks) of all sizes.”
FDIC – The FDIC has indicated, through Financial Institution Letter 28-2015, that “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
Federal Reserve – The Federal Reserve Board has explicitly stated its intent to begin using the Assessment, “…in late 2015 or early 2016 … as part of [the] examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.” (SR-15-9, July 2, 2015)« Back to Glossary Index