That is a question that I see continually asked in various articles and websites. This article by Tracy Kitten at bankinfosecurity.com tries to answer just that.
Below are my summary and reaction, along with a link to the original article:
- Banks should NOT expect new cybersecurity guidance anytime soon. The FDIC winter edition of Supervisory Insight (which I discussed in a prior blog article here) hints around at this. Besides, examiners are just now starting to look at what banks have on the new Tool; a little early to shake things up now. I would expect at least one examination cycle before any major changes are made. Until then, the FFIEC Cybersecurity Assessment Tool (CAT) is here to stay.
- The article also goes on to imply that banks should be using the NIST Cybersecurity Framework in lieu of, or alongside the FFIEC CAT.
- My recommendation is this: in a world of limited resources, banks should focus on the FFIEC CAT. It ties back to the NIST framework and the FFIEC IT Examination Handbook and was created specifically for banks. If you are using it to assess your risk and are working toward an appropriate maturity level, you are going to be in pretty good shape.