Guide to Cybersecurity Assessments for Financial Institutions

As the digital landscape continues to evolve, cybersecurity remains a critical concern for financial institutions. With increasing threats and the reliance on technology, organizations must regularly assess their cybersecurity posture to stay ahead of potential risks. Recently, the Federal Financial Institutions Examination Council (FFIEC) announced the sunset of its Cybersecurity Assessment Tool (CAT) by August 31, 2025. This article will provide an updated guide to cybersecurity assessments for financial institutions, considering the discontinuation of the CAT in 2025 and the shift to NIST 2.0 and CISA CPGs.

The Importance of Cybersecurity Assessments in Banking

The financial sector is a prime target for cybercriminals due to the sensitive nature of the data handled and the potential for significant financial gain. Financial institutions face a wide range of cybersecurity threats that can compromise sensitive data, disrupt operations, and lead to financial losses. Some of the common threats include:

1. Malware: Malicious software, such as viruses, trojans, and ransomware, can infect systems and steal sensitive data or disrupt operations.
2. Phishing: Attackers use fraudulent emails, websites, or text messages to trick individuals into disclosing sensitive information or installing malware.
3. Insider Threats: Malicious or negligent employees, contractors, or vendors with access to sensitive data can pose significant risks to an organization's cybersecurity.
4. Distributed Denial of Service (DDoS) Attacks: These attacks overwhelm systems or networks with a flood of traffic, causing service disruptions and downtime.
5. Advanced Persistent Threats (APTs): Sophisticated, targeted attacks that use a combination of techniques to gain unauthorized access to systems and steal sensitive data over an extended period.

According to research by Sophos, the financial services is increasingly a target of ransomware attacks. From 2021 to 2023, the attack rate nearly doubled from 34% to 64%, pushing up near the cross-sector average of 66%. These attacks were largely caused by exploited vulnerabilities, compromised credentials, and email phishing.  

A cybersecurity breach can lead to reputational damage, loss of customer trust, and legal and regulatory consequences. It is crucial for financial institutions to prioritize cybersecurity and regularly assess their defenses against ever-evolving threats. With the FFIEC's CAT being phased out, financial institutions need to adapt and consider alternative tools and frameworks to maintain a strong cybersecurity posture.

Key Components of a Cybersecurity Assessment

A comprehensive cybersecurity assessment should cover various aspects of an organization's security posture. Some of the key components include:

1. Risk Assessment: Identifying and evaluating potential risks to the organization's assets, including data, systems, and infrastructure. This involves analyzing the likelihood and impact of different cyber threats.
2. Vulnerability Assessment: Conducting scans and tests to identify weaknesses in the organization's networks, applications, and systems that could be exploited by attackers. This may include vulnerability scanning, penetration testing, and social engineering assessments.
3. Security Controls Review: Evaluating the effectiveness of the organization's security controls, such as access controls, encryption, network segmentation, and incident response procedures. This helps determine whether the controls are adequate to mitigate identified risks.
4. Compliance Assessment: Ensuring that the organization adheres to relevant cybersecurity regulations and standards, such as the Gramm-Leach-Bliley Act (GLBA), and General Data Protection Regulation (GDPR).
5. Third-Party Risk Assessment: Assessing the cybersecurity practices of vendors, partners, and service providers that have access to the organization's sensitive data or systems. This is crucial as third-party vulnerabilities can provide entry points for attackers.

The Evolution of Cybersecurity Maturity Models for Financial Institutions

The history of cybersecurity in the financial sector is marked by a series of regulatory milestones that have progressively shaped how institutions protect sensitive information. These regulations laid the groundwork for modern cybersecurity practices by setting standards for data protection, encouraging continuous monitoring, and promoting a structured approach to managing cybersecurity risks. This regulatory evolution provided the foundation upon which later tools and frameworks, such as the FFIEC Cybersecurity Assessment Tool (CAT), were built, ensuring that financial institutions could effectively defend against an increasingly sophisticated array of cyber threats.

Cybersecurity Regulatory History 1999 – 2014  

Gramm-Leach-Bliley Act (GLBA)

The GLBA was one of the first significant regulations to address the security of customer information within financial institutions. It required these institutions to implement safeguards to protect the confidentiality and integrity of customer data. The GLBA emphasized the need for a comprehensive information security program, setting a precedent for the importance of cybersecurity in the financial sector.

Federal Information Security Management Act (FISMA)  

FISMA was introduced to improve the security of information systems within federal agencies, including those connected to the financial sector. It mandated the development of risk-based information security programs, encouraging continuous monitoring and reporting. Although FISMA primarily targeted federal agencies, its principles influenced financial institutions by promoting a structured approach to managing cybersecurity risks.

NIST SP 800-53  

NIST Special Publication 800-53 provided a detailed catalog of security and privacy controls for federal information systems. While it was originally intended for federal use, financial institutions adopted many of its principles to guide their cybersecurity practices. NIST SP 800-53 offered a framework for implementing and managing security controls, which influenced the eventual creation of more formalized cybersecurity maturity models.

FFIEC IT Examination Handbook  

The FFIEC IT Examination Handbook provided extensive guidance on managing information security risks within financial institutions. It covered key topics such as risk management, incident response, and vendor management. This handbook became an essential resource for financial institutions, guiding their cybersecurity practices and setting the stage for the development of the CAT.

NIST Cybersecurity Framework (CSF)  

The NIST Cybersecurity Framework introduced a risk-based approach to managing cybersecurity risks, structured around five core functions: Identify, Protect, Detect, Respond, and Recover. Although it was not a regulatory requirement, the NIST CSF became widely adopted in the financial sector, influencing the way institutions assessed and managed cybersecurity risks.

Initial Maturity Models: FFIEC Cybersecurity Assessment Tool (CAT)

Drawing on the foundations laid by these regulations and frameworks, the FFIEC developed the Cybersecurity Assessment Tool (CAT) to provide a structured and consistent method for financial institutions to assess their cybersecurity maturity. It integrated the principles and standards set by earlier regulations, offering a comprehensive tool tailored specifically for the financial sector.

The CAT was designed to provide a structured framework that allowed financial institutions of all sizes to evaluate their cybersecurity maturity and preparedness across five critical domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience.

The CAT became a key tool for financial institutions, enabling them to assess their cybersecurity capabilities and identify areas for improvement systematically. It also helped institutions demonstrate their cybersecurity efforts to regulators, ensuring compliance with evolving regulatory requirements. Over time, however, the cybersecurity landscape continued to evolve, and new frameworks and tools emerged, offering more flexible and adaptive approaches.

FFIEC will Sunset the Cybersecurity Assessment Tool (CAT) on August 31, 2025

In August 2023, the FFIEC announced that the CAT would be sunset by August 31, 2025. In their Official CAT Sunset Statement, they state “While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.”

As the CAT phases out, supervised financial institutions are to instead refer directly to the government resources themselves.  Some of these resources are yet to be released and the FFIEC will be hosting a webinar in the Fall of 2024 to discuss them.  

Cybersecurity Resources recommended by the FFIEC

1. NIST Cybersecurity Framework 2.0: The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a risk-based approach to managing cybersecurity risk. It consists of five core functions: identify, protect, detect, respond, and recover. Financial institutions can use this framework to align their cybersecurity practices with industry standards. (Source: NIST Cybersecurity Framework)
2. CISA Cybersecurity Performance Goals: The Cybersecurity and Infrastructure Security Agency (CISA) has developed performance goals that help organizations manage and reduce their cybersecurity risk. These goals are part of a broader government effort to improve security and resilience across all sectors, including financial services.
3. Cyber Risk Institute (CRI) Cyber Profile: This industry-developed resource provides a comprehensive approach to assessing and managing cyber risk, specifically tailored for financial institutions.
4. Center for Internet Security (CIS) Controls: The CIS Controls offer a set of best practices for securing IT systems and data, which financial institutions can integrate into their cybersecurity assessment processes.

Cybersecurity Resources for 2025  

NIST Cybersecurity Framework (CSF) 2.0

The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, is an evolution of the original NIST CSF introduced in 2014. It remains a cornerstone for organizations seeking to manage and reduce cybersecurity risks, providing a flexible, risk-based approach applicable to any industry, including financial services.

Overview of the NIST CSF 2.0

The CSF 2.0 is structured around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function is designed to cover essential aspects of cybersecurity risk management. These functions are further divided into categories and subcategories that offer detailed outcomes for managing cybersecurity risks.

• Govern (GV): Establishes the organization’s cybersecurity risk management strategy, policy, and oversight mechanisms.
• Identify (ID): Focuses on understanding the organization’s cybersecurity risks by identifying assets, vulnerabilities, and threats.
• Protect (PR): Involves safeguards to secure assets and reduce the likelihood of cybersecurity events.
• Detect (DE): Ensures timely discovery of cybersecurity incidents through continuous monitoring.
• Respond (RS): Guides the actions to be taken in response to detected cybersecurity incidents.
• Recover (RC): Supports timely restoration of normal operations after a cybersecurity incident.

Key Features and Benefits

• Flexibility and Adaptability: The CSF 2.0 is not prescriptive, allowing organizations to tailor the framework to their specific needs, risk tolerance, and regulatory environment.
• Risk-Based Approach: By focusing on outcomes rather than specific controls, the CSF 2.0 enables organizations to prioritize actions based on their risk assessment.
• Integration with Other Risk Management Practices: The CSF 2.0 is designed to work in tandem with other risk management frameworks, such as enterprise risk management (ERM), making it an integral part of a holistic risk management strategy.

Implementation and Use Cases

The CSF 2.0 can be used by financial institutions of all sizes, from small community banks to large multinational corporations. It provides a common language for communicating cybersecurity risks across different levels of the organization, from executives to technical staff.

For example, a financial institution can use the CSF 2.0 to:

• Assess Current Cybersecurity Posture: By creating a “Current Profile” that maps to the CSF 2.0’s outcomes.
• Develop a Target Profile: This profile reflects the organization’s desired state of cybersecurity maturity, helping to prioritize improvement efforts.
• Guide Continuous Improvement: Regular assessments against the CSF 2.0 help organizations stay ahead of evolving cyber threats.

NIST Cybersecurity Framework 2.0 Resources

NIST provides a suite of online resources to help organizations implement the CSF 2.0. These include Informative References, Implementation Examples, and Quick Start Guides, which offer practical guidance on achieving the framework’s outcomes.

• NIST Cybersecurity Framework 2.0
• NIST CSF 2.0 Quick Start Guides
• NIST CSF 2.0 Profiles
• NIST CSF 2.0 Informative References
• NIST CSF FAQs

CISA Cybersecurity Performance Goals: A Security Baseline

The CISA Cybersecurity Performance Goals (CPGs), developed by the Cybersecurity and Infrastructure Security Agency (CISA), are a prioritized subset of IT and OT cybersecurity practices designed to enhance the resilience of critical infrastructure sectors, including financial institutions

CPG’s are not intended to be comprehensive of all necessary practices or a full risk management program, they are a minimum set of practices to protect critical infrastructure. They are structured to be applicable across a wide range of organizations, making them accessible for institutions of varying sizes and cybersecurity maturity levels.  

CISA is working directly with Sector Risk Management Agencies (SRMAs) to develop Sector-Specific Goals (SSGs) 16 critical infrastructure sectors. Financial Services is among the first four sectors to be published. For most recent updates , visit CISA Sector Specific Goals.

CISA Cybersecurity Performance Goal Criteria & Model Components

The CISA Cybersecurity Performance Goals (CPGs) are crafted to help organizations, especially those in critical infrastructure like financial institutions, prioritize key cybersecurity practices. These goals focus on three main criteria:

• Risk Reduction: Each goal is selected for its ability to mitigate significant cyber threats and tactics.
• Clarity and Actionability: The CPGs are designed to be straightforward, making them easy to understand and implement without requiring extensive expertise.
• Cost-Effectiveness: The goals prioritize affordable measures, ensuring accessibility for organizations with limited resources.

Model Components:

• Outcome: Defines the specific security results the goal aims to achieve.
• TTP/Risk Addressed: Identifies the specific threats or tactics the goal mitigates.
• Security Practice: Details the recommended actions or controls to implement.
• Scope: Outlines which assets or systems the practice should apply to.
• Recommended Action: Provides clear steps for implementation.
• NIST CSF Reference: Links each practice to corresponding elements in the NIST Cybersecurity Framework, facilitating integration with existing programs.  

CISA Cybersecurity Performance Goal Categories and Examples

The CISA Cybersecurity Performance Goals (CPGs) are organized into 4 categories designed to help organizations prioritize and implement key cybersecurity practices effectively. Each category focuses on different aspects of security, from understanding risks and protecting assets to detecting threats and responding to incidents. This structure ensures organizations can build a robust cybersecurity foundation regardless of their size or maturity level.

1. Identify: Focuses on understanding and managing cybersecurity risks, including asset inventory and leadership roles. Examples include:
   • Asset Inventory
   • Organizational Cybersecurity Leadership
   • Mitigating Known Vulnerabilities ‍
2. Protect: Covers measures to safeguard critical infrastructure, such as password management, network segmentation, and cybersecurity training. Examples include:
   • Changing Default Passwords
   • Network Segmentation
   • Email Security ‍
3. Detect: Involves identifying cybersecurity threats and tactics, techniques, and procedures (TTPs).
4. ‍Respond: Deals with incident response, including reporting, vulnerability disclosure, and deploying security measures like Security.txt files. Examples include:
   • Incident Reporting
   • Vulnerability Disclosure
   • Deploy Security.TXT Files ‍
5. Recover: Involves development and maintenance of plans to recover or restore assets impacted by the incident. Benefits of Adopting CISA CPGs

Benefits of Adopting CISA CPGs

1. ‍Risk Reduction: By following the CPGs, financial institutions can significantly reduce their exposure to common cyber threats, such as ransomware and phishing attacks. ‍
2. Alignment with Regulatory Expectations: The CPGs complement existing cybersecurity frameworks, helping institutions align with regulatory requirements and industry best practices. ‍
3. Support for Smaller Institutions: The CPGs are designed to be scalable, providing a clear starting point for smaller institutions that may not have the resources to implement comprehensive cybersecurity programs.

Implementation Strategies for Financial Institutions

For financial institutions, the CPGs provide a roadmap for improving cybersecurity resilience, whether starting from a basic level or enhancing existing practices. Institutions should begin by conducting a gap analysis to identify which CPGs are already in place and where additional focus is needed. From there, they can prioritize the implementation of Foundational Goals, gradually advancing to more sophisticated practices as resources and capabilities allow.

Resources and Support from CISA

CISA offers a range of tools, guidelines, and best practices to help institutions implement the CPGs effectively. These resources include:

• CISA CPG Checklist
• Cross-Sector Cybersecurity Performance Goals – Slick Sheet
• Complete CPGs Matrix / Spreadsheet

Partner with NETBankAudit for Cybersecurity Assessments, Testing and Value-Add Consulting

NETBankAudit brings over 23 years of success in serving more than 800 organizations across the financial services industry. Founded in 2000 by a team of IT executives and former regulatory officers, NETBankAudit has consistently stayed ahead of the curve in addressing the evolving challenges of information technology in financial services.

NETBankAudit is the Leader for Cybersecurity Risk Assessments

Comprehensive and Tailored Services

NETBankAudit offers a full range of cybersecurity assessment and testing services, including:

• IT and Cybersecurity Audits
• Risk Assessments
• Vulnerability and Penetration Testing
• Social Engineering Testing
• Regulatory Compliance Audits

Our approach is always tailored to the specific needs, circumstances, and budget constraints of each client. We understand that no two financial institutions are alike, and we pride ourselves on delivering customized solutions that address the unique challenges faced by each organization.  

Value-Add Approach

What sets NETBankAudit apart is our value-add approach to auditing and compliance. We don't just identify issues; we provide actionable, practical advice drawn from our experts' real-world experiences. Our goal is to serve as a true internal audit partner, helping our clients navigate complex IT and compliance landscapes efficiently and effectively.

Best-in-Class Tools and Methodologies

NETBankAudit employs a proven, time-tested approach to vulnerability and penetration testing. We go beyond standard open-source testing by utilizing customized best-in-class tools that address the unique needs of financial institutions. Our dedicated, certified security engineers provide a thorough review of client infrastructure, delivering an understandable list of identified security issues and recommendations for mitigation.

Regulatory Expertise

With a team that includes former regulators and banking executives, NETBankAudit has an intimate understanding of regulatory requirements and expectations. We stay up-to-date with the latest regulatory changes and incorporate this knowledge into our assessments and recommendations, helping our clients stay ahead of compliance requirements.