AFTER THE SUNSETTING CAT Tool Replacement Options By Colleen Wynn, The AaSys Group So, just when we all have gotten used to the CAT Tool (well, maybe that is going a little far), financial institutions will now have to decide what new tool they will implement with the sunsetting of the CAT at the end of August 2025. While the FFIEC has provided several different options, they have not really provided any guidance. In fact, if you refer to the FFIEC IT Handbook regarding Control Self-Assessments (VI.D.3), there is only one paragraph describing the assessment. It is important to point out that the tool(s) are not risk assessments. They are, instead, an assessment of the cybersecurity controls processes of the financial institution, which is scored by placing the institution into a designated maturity level (rather than a measure of a risk answer such as reduction, transfer or avoidance). Not all the tools may provide scoring. While the Cyber Assessment is not a “requirement,” we all know that without a comprehensive tool for examiners to reference in understanding the maturity level of the institution and glean how risks are measured and managed, they will have to “dig” into other documentation to get the information they are looking for. So, what tool is right for your institution? CYBER RISK INSTITUTE (CRI) CYBER PROFILE • This is the only tool specifically designed for banks. The others are not bank-specific. • The tool is getting a lot of momentum in the banking space. • Examiners are currently training on this tool so they will understand how to evaluate cyber posture when reviewing the assessment. • Free to financial institutions. NIST CYBERSECURITY FRAMEWORK (CSF) 2.0 • Not bank-specific. • Focuses on governance and supply chain but should also be used along with other resources such as guidelines, best practices and standards. • Hard to implement. CISA CROSS SECTOR CYBERSECURITY PERFORMANCE GOALS (CPGS) • Not bank-specific. • Aligns with National Institute of Standards and Technology (NIST) CSF. • Focuses on governance, identification and management of risk, detection, response and recovery. • Free to financial institutions. CYBERSECURITY PERFORMANCE GOALS (CPGS) — SECTOR SPECIFIC GOALS — CISA • This is not available yet and is still in development. • The intention is to create a tool that will be applicable to specific sectors and will be rolled out in phases. • Financial services will be in the first phase, but no information is available on timing. CENTER FOR INTERNET SECURITY CONTROLS (CIS) • Not bank-specific. • Focuses on 20 controls and 170 sub controls. From AaSys’ standpoint, we prefer the CRI Cyber Profile because it is the only tool that is bank-specific, it is getting more traction than the others and seems to be the tool that examiners are learning. There is obviously more to come on this topic and staying engaged with your peers is a good way to gauge which way the industry will go regarding a new Cyber Assessment Tool. This information is being provided by Colleen Wynn, account executive at the AaSys Group. AaSys is a proud supporter of the VACB and provides educational resources to our Virginia Community Banks. Reach out to Colleen at cwynn@aasysgroup.com to learn more about options and The AaSys Group. 19 The CommunityBanker
RkJQdWJsaXNoZXIy MTg3NDExNQ==