FFIEC CAT Sunset: Why the CRI Profile is a Strong Alternative

You’ll have to look at how to migrate your CAT data to your replacement tool’s control framework of choice, whether that be Cyber Risk Institute (aligned with NIST), CIS Critical Security Controls (aligned with CIS Benchmarks/CIS Controls), among others.

Most financial institutions will not be fully aligned with all the recommended controls for their risk profile after the first pass. This is because FFIEC guidance isn’t fully aligned with other tools’ control frameworks, like NIST, for example.

Second, developing a long-term strategy to achieve full alignment with your new assessment tool’s recommended controls should be on your radar. You should also have a plan to address concerns from management and stakeholders about your information security program and why it’s not fully aligned with the controls recommended for your risk profile, even though you might have been Baseline or a higher control maturity with the CAT.

Unlike the CAT, where your inherent risk profile is generated by responses from granular questions about your institution’s environment like the number of banking delivery channels for customers and volume of transactions processed by transaction type, generating your CRI risk profile is a little different. After completing nine questions related to your institution’s inherent risk, systemic risk, and more, you’ll be assigned one of four impact tier levels. When you hear impact tiers, think Maturity Levels from the CAT. Your impact tier level will drive which of the four corresponding control tiers you should be aligned with.

Speaking of the four impact tiers, they range greatly! Most of you reading this will have your financial institution fall into Tier 4, which essentially means a cyberattack at your institution would have a limited impact on the financial sector as whole.

In comparison, Tiers 1-3 are for institutions that if impacted by a cyber event would have a national, sub-national, or direct financial sector impact, respectively. These tiers are designed to hold institutions that are critical to the nation’s financial sector to a higher control standard.

The CRI Profile offers a flexible range of response options—including “Yes,” “No,” “Partial,” “Yes, Risk-Based,” “Yes, with Compensating Controls,” “Not Tested,” “Don’t Know,” and “To Be Assessed.” So, for example, if you have to attest to application access review frequency or MFA enforcement, you can answer “yes, with a risk-based approach.” This way, the CRI tool gives you more flexibility on control implementation. The “To Be Assessed” response option also comes in handy as you likely won’t be able to answer “yes” for each control question since the NIST framework doesn’t perfectly map to FFIEC.

You’ll also have to start game planning for how you report on your information security program to your Steering Committee, Audit Committee, and Board, after your first use of the new CRI Profile. Specifically, you’ll have to plan for reporting on controls you either don’t have in place or haven’t tested, emphasizing the need for an action plan to become fully aligned with the recommended controls.

Lastly, unlike the CAT, once you go through the exercise of answering the control questions, you will not get a clean cybersecurity maturity graph, along with a breakdown of your compliance with each control domain. With the CRI Profile, you will simply get a total count, by response, for each domain. This is not a bad thing – just something to be aware of when it comes to building your report deliverables for Senior Management, Technology Steering Committees, the Board, and other stakeholders.