The current design of the Federal Financial Institutions Examination Council’s new Cybersecurity Assessment Tool, also known as CAT, sets institutions up for cyber-risk assessment failure. That’s because the tool doesn’t take into account the unique cybersecurity risks banking institutions face. And users aren’t offered any opportunity to explain why they have or have not complied with specific categories and subcategories included in the tool’s questions.

But banking executives say they’re hopeful the FFIEC will be receptive to the industry’s desire for a second version of the tool to be released by midyear. For now, none of the federal banking agencies that make up the FFIEC are saying what we might expect to see after a second comment period in January.

The FFIEC would be wise to carefully consider the feedback it receives, and then use that feedback to make significant and meaningful changes to the tool—without delay (see Will FFIEC Revamp Cyber Assessment Tool?).

The fact that the FFIEC is accepting a second wave of comments could very well be an indication that some changes to the tool are, indeed, on the way.

continue reading »