Overview
The FFIEC Cybersecurity Assessment Tool (CAT) provides a structured framework for banking institutions to evaluate their cybersecurity risk and preparedness. Developed by the Federal Financial Institutions Examination Council, it is used by regulators during examinations and by financial institutions for self-assessment. While not technically mandatory, examiners from the OCC, FDIC, Federal Reserve, and NCUA use it as a baseline for evaluating cybersecurity practices, making it effectively required for regulated financial institutions.
Assessment Structure
| Component | Purpose | What It Measures |
|---|---|---|
| Inherent Risk Profile | Determine your risk level | Technologies and connection types, delivery channels, online and mobile products, organizational characteristics, and external threats |
| Cybersecurity Maturity | Evaluate your preparedness | Controls and practices across five domains at five maturity levels |
| Gap Analysis | Identify where to improve | Comparison of your inherent risk level against your cybersecurity maturity across all domains |
Inherent Risk Profile Categories
- The inherent risk profile assessment evaluates your institution across several activity categories:
- Technologies and Connection Types: Internet connectivity, wireless networks, third-party connections, cloud services, and personal devices
- Delivery Channels: Online and mobile banking platforms, ATM networks, and emerging payment technologies
- Online and Mobile Products: Bill payment, P2P transfers, account aggregation, and digital lending platforms
- Organizational Characteristics: Mergers and acquisitions, number of direct ISP connections, third-party hosting arrangements, and whether you process payments for other institutions
- External Threats: Volume and sophistication of attacks targeting your institution and the broader sector
Five Cybersecurity Maturity Domains
Domain 1 (Cyber Risk Management and Oversight) covers governance, risk management strategy, budgeting, and board reporting. Domain 2 (Threat Intelligence and Collaboration) covers threat intelligence gathering, monitoring, and information sharing. Domain 3 (Cybersecurity Controls) covers preventive, detective, and corrective controls across your infrastructure. Domain 4 (External Dependency Management) covers third-party risk management, due diligence, and contract management. Domain 5 (Cyber Incident Management and Resilience) covers incident planning, detection, response, recovery, and escalation procedures. Each domain is assessed against five maturity levels: Baseline, Evolving, Intermediate, Advanced, and Innovative.
Completing the Assessment
- Assemble a cross-functional team including IT, information security, risk management, compliance, and business line leaders
- Gather documentation including network diagrams, policies, incident reports, vendor inventories, and audit findings
- Complete the Inherent Risk Profile honestly, as overestimating will create unnecessarily high expectations while underestimating will leave gaps
- Evaluate each declarative statement in the maturity assessment against current practices and evidence
- Identify gaps where your maturity level falls below the minimum expected for your inherent risk profile
- Develop a prioritized remediation plan with timelines, resource requirements, and responsible parties
- Present findings and the remediation plan to the board of directors with recommended actions
Examination Expectations
Examiners expect institutions to demonstrate a cybersecurity maturity level appropriate for their inherent risk profile. At minimum, all institutions should achieve Baseline maturity across all domains. Higher-risk institutions are expected to demonstrate Evolving or Intermediate maturity. Examiners will look for documented evidence supporting your self-assessment, not just completed questionnaires. Common examination findings include insufficient board reporting, inadequate third-party vendor oversight, gaps in incident response testing, and lack of threat intelligence integration into security operations.
Frequently Asked Questions
Is the FFIEC CAT mandatory?
The CAT itself is voluntary, but bank examiners use it as a primary tool for evaluating cybersecurity preparedness. Not completing the assessment or being unable to demonstrate adequate cybersecurity maturity can result in examination findings, matters requiring attention (MRAs), or formal enforcement actions.
How often should we complete the assessment?
Most institutions complete the assessment annually or whenever significant changes occur, such as new technology deployments, mergers, or material changes to the threat environment. Regulators expect the assessment to reflect your current state, not a point-in-time snapshot from a year ago.
What is the minimum expected maturity level?
All institutions should achieve at least Baseline maturity across all five domains. Institutions with higher inherent risk profiles are expected to demonstrate higher maturity levels. The CAT maps minimum expected maturity levels to each inherent risk category.
How does the FFIEC CAT relate to NIST CSF?
The FFIEC CAT domains align with the NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover). Many institutions use both frameworks together, with NIST CSF as the broader cybersecurity strategy and the FFIEC CAT as the banking-specific assessment tool.
Can community banks use a simplified approach?
Yes. The FFIEC recognizes that community banks have different risk profiles and resources. Smaller institutions with lower inherent risk profiles can demonstrate Baseline and Evolving maturity. The CAT scales to the complexity and risk of the institution rather than applying a one-size-fits-all standard.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.