NAIC CyberSecurity Task Force To Review Federal Financial Institutions Examination Council’s (FFIEC) Cyber-Assessment Tool

Aug 10, 2015

Insurance Regulation Lawyer

Above:  Colodny Fass’ Donovan Brown Notes Federal Financial Institutions Examination Council’s (FFIEC) Cyber-Assessment Tool Now Available For Use


The National Association of Insurance Commissioners (“NAIC”) Cybersecurity Task Force will discuss the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool (“CAT”) as part of its Summer 2015 National Meeting agenda (Twitter Hashtag ) on Sunday, August 16 in Chicago.

Released during mid-June 2015, the CAT is designed to help institutions identify their risks and assess their cybersecurity preparedness.  The CAT’s release follows a 2014 pilot assessment of cybersecurity preparedness at more than 500 institutions.

The FFIEC plans to update the CAT as threats, vulnerabilities and operational environments evolve.

In addition to the CAT, the FFIEC offers accompanying resources, including an executive overview; a user’s guide; an online presentation explaining the CAT; appendices mapping the CAT’s baseline maturity statements to the FFIEC Information Technology Examination Handbook, as well as mapping all maturity statements to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework; and providing a glossary of terms.

FFIEC members are also encouraging institutions to comment on the CAT through an upcoming Paperwork Reduction Act notice in the Federal Register that has not yet been published.

In light of the increasing volume and sophistication of cyber threats, the CAT provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.

The FFIEC provides several resources to further awareness of cyber threats and help financial institutions improve their cybersecurity.  These resources are available on the FFIEC Web site at, as well as below:


Overview for Chief Executive Officers and Boards of Directors

Cybersecurity Assessment Tool 


FFIEC Cybersecurity Assessment Tool Presentation View Slides | View Video


Process Flow for Institutions:

Step 1:  Read Overview for Chief Executive Officers and Boards of Directors to gain insights on the benefits to institutions of using the CAT, the roles of the CEO and Board of Directors, a high-level explanation of the CAT, and how to support its implementation.

Step 2:  Read the User’s Guide to understand all of the different aspects of the CAT, how the inherent risk profile and cybersecurity maturity relate, and the process for conducting the CAT.

Step 3:  Complete Part 1: Inherent Risk Profile of the Cybersecurity Assessment Tool to understand how each activity, service and product contribute to the institution’s inherent risk, determine the institution’s overall inherent risk profile and whether a specific category poses additional risk.

Step 4:  Complete Part 2: Cybersecurity Maturity of the Cybersecurity Assessment Tool to determine the institution’s cybersecurity maturity levels across each of the five domains.

Step 5:  Interpret and Analyze CAT Results to understand whether the institution’s inherent risk profile is appropriate in relation to its cybersecurity maturity and whether specific areas are not aligned.  If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels.

Refer to the User’s Guide for additional explanation of Steps 3, 4 and 5.

In addition to the “Overview for Chief Executive Officers and Boards of Directors,” the FFIEC has released the following documents to assist institutions with the CAT.



Should you have any questions or comments, please contact G. Donovan Brown at Colodny Fass (+1 850 545 8864 or



Click here to follow Colodny Fass on Twitter (@ColodnyFassLaw)


To unsubscribe from this newsletter, please send an e-mail to