December 13, 2018
FFIEC CAT vs FSSCC Profile – WST
In 2015, the FFIEC developed the Cybersecurity Assessment Tool (CAT) (https://www.ffiec.gov/cyberassessmenttool.htm) to “help institutions identify their risks and determine their cybersecurity preparedness. The tool provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” Regulatory agencies widely support and accept the CAT as examiners are expecting you to complete it annually. However, anyone who has completed the CAT knows that the process can feel overwhelming with the large number of questions, particularly for smaller banks.
In October 2018, the Financial Services Sector Coordinating Council (FSSCC) released their Cybersecurity Profile (the Profile) https://www.fsscc.org/Financial-Sector-Cybersecurity-Profile. The Profile is built from existing regulations, guidance, frameworks (including the CAT), and standards, and one of the touted benefits is that it better scales to the institutions size and complexity. It doesn’t include everything from the CAT, and goes into more detail in other areas, such as vendor management.
Wielded correctly, either tool will help an institution to better understand and manage its cybersecurity risk. Neither tool replaces a comprehensive IT risk assessment for your specific environment.
From a “How does this affect me?” standpoint, probably the most basic differentiation is that the CAT is the incumbent (and again, expected), and the Profile is not widely known and there’s no guarantee that it will gain mindshare with examiners. If you complete the FSSCC Profile instead of the CAT, be prepared to have a conversation on your choice. You may find yourself in an educator role.