The Cybersecurity Assessment Tool (“CAT”) is a valuable tool for institutions to use to assess their security strategy. While completing the CAT is not required, regulators will use the CAT results to help assess an institution if the results are provided to them. Because of this, we often see institutions experiencing a lot of stress over completing the CAT.
This week, the Friday 5 looks at tips for making the CAT experience healthy:
- Don’t make the mistake of ignoring the CAT: The CAT is based on what regulators look at when they examine an institution. While it is true that the CAT is not required, completing at least the Baseline and Evolving portions of the CAT will provide an early warning to management of weaknesses that may be the focus of regulators in future exams. It is better to be proactive in identifying these weaknesses than to wait for a regulator to point them out.
- Understand the inherent risk questions: Some of the inherent risk questions are confusing, and it is not uncommon to see institutions rate themselves at a significant risk for an item when they are actually at a minimal risk level. Make sure you spend time reviewing regulator guidance for any items that you are unclear on. You can also email us any of your question at support@bedelsecurity.com!
- Complete the CAT in stages: We often see institutions attempt to complete the entire CAT at once. This tends to result in fatigue and results in not enough thought given to answers. We recommend going through all Baseline maturity level questions first. Once completed with Baseline, proceed to complete the statements for the Evolving maturity level. Repeat this until you each the point that you have not achieved a maturity level. Do not continue with higher maturity levels until you have a thorough understanding of why you are not meeting the requirements for the lower maturity level.
- Prioritize remediation projects: When prioritizing projects, make sure you order them based on the maturity level they relate to. Do not devote resources to a project to achieve Advanced maturity if you have not yet reached Baseline maturity.
- Pick your maturity goal carefully: Humans have a tendency to move to the middle of any scale, so it is not uncommon to see institutions choose an intermediate or advanced maturity level as their goal. Achieving this level of maturity can get take a lot of effort and expense. Be sure to understand what is required to achieve a maturity level before you commit to it. Perform a risk assessment to confirm that the maturity level you chose is appropriate for your institution.
If you've struggled with the CAT before, but are determined to do it yourself, we've created our own excel based version of the Cybersecurity Assessment Tool that's simple to use and we've received a lot of great feedback on. Download your free CAT here!
Other Resources:
- Get the Most Out of Your Cybersecurity Assessment Tool
- 5 Things to Know About the NCUA Automated Cybersecurity Examination Tool
Did you find these article helpful? Have helpful articles just like this delivered straight to your inbox weekly by signing up for our newsletter. Use the form below!