You had a good run (Cybersecurity Assessment Tool)
If you were an information technology worker within the financial institution sector in June of 2015 when the Federal Financial Institutions Examination Council (FFIEC) released their “optional” cybersecurity assessment tool (CAT), you remember looking at the daunting task of answering the near 500 question survey that then rated your cybersecurity posture. The FFIEC was quick to tell clients that it was not mandatory for them to complete but that their examiners would be utilizing the tool as a large part of their audits (making it highly recommended that all financial institutions complete the exercise). If the tool was not used, regulators noted it was expected that a separate/different security framework be utilized.
From a security standpoint, Snodgrass saw this as a positive and comprehensive tool to assist financial institutions in reaching a strong security posture. The FFIEC noted that all financial institutions were expected to meet the “baseline” security posture or they could expect comments within their regulatory reports until they met this standard. Again, while not mandatory to complete the review, financial institutions were still required to ensure that they met these baseline standards. We quickly reviewed our audit programs to ensure that our clients were meeting baseline security items and provided feedback to them in control areas where they appeared to be falling short of this standard.
In 2015, this tool, while being great for strengthening the security posture of our clients, ended an era of being able to tell our clients that their asset size, number of branches, or number of employees would be factored into what controls they’d be required to have in place. In effect, it took subjectivity out of the audits that the regulators and Snodgrass performed, as all financial institutions were required to implement all controls in order to reach that baseline standard. While obviously not making the entirety of our clients happy because of the need to increase security in some areas where our clients felt size and number of employees/branches reduced their risk, the FFIEC was taking into account the changing threat landscape, in which smaller institutions were being attacked more frequently. The days of telling our clients that they didn’t have as large of a target on their back as a much larger institution were gone because this statement just didn’t hold true any longer. We were seeing attacks on institutions regardless of size and complexity, and the current risk of artificial intelligence being used to exploit systems even faster is showing the number of attacks to continue to increase.
On August 29, 2024, the FFIEC sent out announcements that the CAT tool would be “sunset” on August 31, 2025, and would no longer appear as a resource on their website. The announcement noted that they had decided to not update the tool with a new version in an attempt to match government standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework version 2.0 or the Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Performance Goals. The FFIEC felt that these two government standards (among other resources) are helping all sizes and sectors of businesses manage their cybersecurity risks. As to how the FFIEC would utilize these two frameworks within their audits, that will be further discussed in the fall of 2024 during a webinar provided to financial institutions, and they are highly encouraging attendance. The announcement went on to list several other resources that can be utilized by our clients. While noting that they do not endorse any particular framework, they indicated that all financial institutions should choose a security framework and continue to use it regularly to assess their company’s cybersecurity posture. Therefore, Snodgrass will be re-reviewing these frameworks and will be ensuring that our general computer control reviews have factored in aspects and suggestions of these frameworks into our work papers. For more information or to view the actual announcement, feel free to utilize the below hyperlink or visit the FFIEC’s website.
https://www.ffiec.gov/press/pdf/CAT_Sunset_Statement_FFIEC_Letterhead.pdf
For more information about Snodgrass’ Information Technology services, learn more here.