FFIEC announced that it will sunset the CAT on August 31, 2025, meaning the tool will be removed from its website and no longer supported after that date.
Though FFIEC had never required to use the CAT as a mandatory cybersecurity assessment tool, eventually most of the institutions had chosen voluntarily to use CAT because they wanted to pass their audits smoothly. It has been soundly perceived that if a bank demonstrates CAT as its assessment instrument, it depicts a comprehensive approach that will please the auditors.
Now, after ten years of having the CAT instrument, FFIEC has decided not to update the CAT, instead encouraging institutions to use more updated and comprehensive standards and cybersecurity frameworks.
HolistiCyber offers financial institutions an extraordinary service to replace FFIEC CAT assessments with an outstanding methodology we have been successfully implementing during the last eight years. This service enables our clients to enjoy a comprehensive and up to date framework, a framework that is maintained dynamically and continuously. Deploying this service will guarantee a satisfied FFIEC audit, but it doesn’t stop in just “checking the box” to pass your FFIEC audit, it provides above and beyond that! Now it’s your opportunity to win both!
Methodology:
We start our risk assessment by assisting you to set up or update your cyber business impact analysis (BIA), ensuring your lines of business are properly defined to enable an easy and accurate analysis from a cyber perspective. We then evaluate your business processes in terms of your cyber risk appetite, define risk tolerance guardrails, and outline your potential business damage assessment (BDA), based on your preferences. We then execute our comprehensive risk assessment, reviewing all your attack surface from a holistic point of view, whilst evaluating identified risk based on your real business impact.
We cemented the foundation of our methodology based on National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. Upon that foundation we have added optional risk assessment layers. We use those layers based on discretion needs of your organization. Among these layers we incorporate:
- Additional standards or regulations that your organization is required to adhere to or if your org decided to comply with. In incorporate this layer and unify security controls into one security control posture, to avoid duplication of similar security controls (e.g. NY-DFS 500/23, PCI-DSS, ISMS ISO27001, ISO 27032, FINRA, FedRamp, SEC ruling)
- Additional frameworks: we use additional frameworks when we identify that a particular security control or a specific process don’t fully cover risks we identified or related to the organization as part of our risk assessment. We then take specific counter measures from additional frameworks and enhance the repository of the holistic risk assessment by adding a specific counter measure or by using instructions from specific matter frameworks to enhance safeguards that are less covered by NIST CSF 2.0 or CISA performance goals. (e.g. CSA CCM, OWASP, SANS CIS, other NIST detailed security controls 800-53, BIOS protection 800-147, 8179, 8170, 800-61 Incident response, 800-161 supply chain).
- New sound issues that weren’t addressed yet by frameworks or are not clearly defined in existing standards. (e.g. AI Deep Fake, AI data leakage protection, AI data model protection, AI responsible usage, Data model poisoning, Offensive Framework Methodology OFM).
We assess your risks and evaluate your security controls by assessing four different and imperative spheres:
- The effectiveness of your cyber controls.
- The maturity of your cyber controls.
- The coverage of your cyber controls.
- The importance of your cyber controls.
We then outline a pragmatic report pointing out the gap between inherent profile risks and residual risk. We put together a recommended practical program for you to revise your existing cyber defense program. It helps you visualize your cyber defense program optimization arguments by forging you a prioritized approach comprised of milestones to impose new risk counter measure and amend existing security controls based on a detailed calculus of priorities, derived from the importance scoring of your security controls taking under account the inter-dependency between different security controls, the association between risk and their attributed cyber risks, and the business impact of each one of the risks.
This will solidify your cyber defense plans, providing you with a powerful tool to ensure your priority arguments are based on a comprehensive assessment encompassing all threat modeling aspects, and strongly tighten to your true business needs and priorities.
