How to boost your FFIEC CAT score, Part 1: What the CAT dragged in

Since the Federal Financial Institutions Examination Council (FFIEC) introduced the Cybersecurity Assessment Tool (CAT) a few years ago, financial institutions have finally recommended a prescriptive path to operational cybersecurity maturity.

So what has the CAT brought us?

  • Financial institutions welcomed the CAT. While institutions aren’t required to complete the assessment, examiners use it as their framework when assessing institutions during exams. The CAT was intentionally vague and lacked specific guidance; but it did act as a tool that gave institutions the right amount of autonomy to grow in the areas they saw fit while adhering to the suggested path to maturity. It introduced new concepts, including Domain II, which covered complex topics in Threat Intelligence and Information Sharing.

  • It’s tough to evolve beyond the baseline requirement of “belonging or subscribing to a threat and vulnerability information sharing source that provides information on threats”. At my institution, we were already ahead of the curve by belonging to the FS-ISAC and being active with their various Community Institution and CyberIntel mailing lists, but the volume of information coming through was too much and mostly unactionable at a small institution like ours. There was a struggle to find a product to help cover the information overload and make the information actionable without increasing headcount or level of effort in information security resources.

  • This gap in coverage is where Perch Security has found a niche in financial services. I was a Perch user before I was an employee. I loved the product because Perch boosts an organization’s CAT Domain II maturity level and helps cover many other controls that are part of a well-defined cybersecurity program. From threat intelligence detection and response to participation in threat intelligence communities, Perch helps make up shortfalls in stretched budgets of financial institutions by backfilling with People (managed 24x7 SOC services), Process (helping bring structure around escalation and initiation of incident response and threat intel consumption) and Technology (automating the detection of the threats on your network).

Look for future blog posts From Michael Riggs, CISSP, that will cover achieving maturity in specific CAT domains.

Mike Riggs

Mike Riggs
Avian Evangelist