How a New Framework Can Improve Cybersecurity Assessments in Financial Institutions.
In the age of digital banking, maintaining robust cybersecurity risk assessments and control reviews is paramount to protecting sensitive data from potential threats, and passing rigorous IT audits and examinations. Historically, a key tool in the arsenal has been the Cybersecurity Assessment Tool (CAT) developed by the Federal Financial Institutions Examination Council (FFIEC). This blog post will delve into the CAT, its limitations, and the potential for the CRI/NIST framework to enhance cybersecurity assessments within financial organizations.
The FFIEC CAT: A Brief Overview
The CAT, initially released in 2015 and updated in 2017, is a comprehensive tool designed to help financial institutions A). identify their inherent cyber risk exposure, and B). assess their control maturity level. It provides a framework to give the institution a point-in-time snapshot of their current cybersecurity risks and practices. The Inherent Risks section questions are organized around five domains: Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. The Control Maturity section contains almost 500 declarative statements in 5 domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience.
While the CAT is a valuable resource for financial institutions, and the defacto gold standard, it has been criticized for its rigidness and lack of clarity in some areas. Rigidity can lead to confusion when applying the tool to real-world situations and may not provide the necessary flexibility for organizations with different cybersecurity needs. Lack of clarity can introduce subjectivity in the interpretation of various questions and statements. In our experience this subjectivity has resulted in considerable differences in how the examiners interpret and apply the framework. Simply put, the basic framework was a good attempt at a standardized set of best practices. But given the built-in weaknesses, and the fact that it is now 8 years old and many feel it has not kept pace with the cyber threat and control environment, it may be time to consider adopting a new framework.
Introducing the CRI/NIST Framework
To address these limitations, the ABA recently issued an open letter to the FFIEC encouraging them to turn to the National Institute of Standards and Technology (NIST) CSF-based assessment tool called the Financial Sector Profile (now the Cyber Risk Institute (CRI) Profile)*. The profile was developed in conjunction with the Financial Sector Coordinating Council (FSSCC), trade associations, and financial institutions, and contains a forward and backward mapping between their statements and the FFIEC CAT statements, in addition to the BCMP, Operations, Audit, and Management Handbooks.
The framework comprises five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a comprehensive outline for organizations to manage their cybersecurity risks effectively. The framework is designed to be adaptable, allowing institutions to prioritize and implement the most relevant security measures for their unique situation.
Benefits of Aligning the CAT with the New Framework
Incorporating and aligning the CRI/NIST framework into the CAT assessment process can greatly enhance cybersecurity within financial organizations. Some key benefits (and potential pitfalls) of this alignment could include:
- Flexibility and Customization: The NIST-based framework’s adaptable nature allows institutions to focus on the most relevant security measures, ensuring their cybersecurity practices are tailored to their unique risk profiles. However, adaptability can also introduce differences of opinion among practitioners in how those measures should be implemented.
- Improved Clarity: By incorporating the NIST-based framework’s clearly defined functions, institutions can gain a better understanding of their cybersecurity requirements and make more informed decisions. However, a clearer understanding of your cyber risk profile can only lead to better decision-making if (and only if) it can be effectively communicated to senior management.
- Enhanced Collaboration: The NIST-based framework encourages collaboration between financial institutions, fostering a community-driven approach to cybersecurity and promoting the sharing of best practices. How (or if) this collaboration occurs remains to be seen, but smaller institutions generally interact with their peers less often than their larger counterparts.
- Streamlined Assessment Process: Combining/converging the CAT with the CRI/NIST framework simplifies the assessment process, reducing redundancies and allowing organizations to focus on the most critical cybersecurity issues. We have long been advocates of a single, shared standard for all guidance and best practices and in our opinion, this is the most valuable take-away from a potential CAT <-> CRI/NIST integration. A single standard built on a widely accepted framework eliminates the primary weaknesses of clarity and lack of flexibility that surround the current cybersecurity assessment process.
Conclusion
While the FFIEC’s CAT has served as a valuable tool for assessing cybersecurity maturity, its limitations can hinder financial institutions in fully understanding the risks and making the best decisions for protecting their data. By aligning (or even replacing) the CAT with the NIST/CRI Cybersecurity Framework, institutions can benefit from a more flexible, consistent, and customizable approach, ultimately leading to improved cybersecurity measures and a safer financial ecosystem.
*We have received feedback from some of our OCC regulated institutions that their examiners have already started using the CRI Profile in their examinations.
