How To Use The FFIEC’s New Cybersecurity Assessment Tool

An outside review of the FFIEC’s newest “tool”

Does the FFIEC Cybersecurity Assessment Tool make you feel like this?

If you’re reading this, then you have probably received a “recommendation” by an examiner to use the FFIEC’s new Cybersecurity Assessment Tool (view the tool here). If you’ve taken the next step and made an attempt to view the tool you might have found yourself legitimately asking, “Ok, so where’s this tool I’ve been hearing about?”

This article will help you go from “huh?” to confident by providing some context around (i) where it came from, and (ii) what it is. We will also recommend a MUCH more helpful way to interact with the tool.

Where did the Cybersecurity Assessment Tool come from?

tl;dr — it came from the FFIEC, which is a committee, that is comprised of six other mega-committees… so you can imagine how awesome and easy to use it is.

The Federal Financial Institutions Examination Council (FFIEC) was created on March 10, 1979 and has been “empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions.” Times were much simpler in 1979 — if you wanted to steal money from a bank or its customers you literally had to steal the physical money.

But technology has seen to it that money can be stolen by anyone in the world, from anywhere in the world, at any time of the day ($81 Million stolen from Bangladesh Central Bank last February). So, on May 18, 2014, FFIEC Chair Thomas J. Curry stated that one of the FFIEC’s top priorities was “helping to make banks less vulnerable and more resilient to cyber-attacks,” and in June of 2014 the Cybersecurity Assessment Tool was released to the public.

What is the FFIEC’s Cybersecurity Assessment Tool?

tl;dr — it’s a PDF.

I am in the software industry, and in that world a tool refers to something more like a web application. I was disappointed then to discover that, in the FFIEC’s world, “tool” is a code word for “really long PDF.”

So when the FFIEC puts their best foot forward to help credit unions and banks combat a global confederacy of sophisticated cyber criminals operating without borders or rules and we get a 59 page PDF, the words “REALLY?!?” come to mind.

That may be a bit too harsh… they are trying to help after all, aren’t they? So before we make a snap judgment about this tool, lets take a closer look inside.

What’s inside the PDF?

The contents of the CAT include:

  1. An Overview for Chief Executive Officers and Boards of Directors
  2. A User’s Guide
  3. Guidance on assessing your Inherent Risk Profile
  4. Guidance on assessing your Cybersecurity Maturity

Lets ignore items 1 and 2 for now, because the real meat and potatoes (or quinoa and spinach if you are a millennial) is that the CAT has two main parts: (i) assessing your organization’s inherent risk (What is Inherent Risk?), and (ii) assessing your organization’s cybersecurity maturity level.

Part 1: Assessing Inherent Risk

The CAT seeks to help you answer how risky your organization is based on the nature of its environment. It does this by asking you to categorize your organization’s inherent risks across 39 risk areas in the following five categories:

  1. Technologies and Connection Types
  2. Delivery Channels
  3. Online/Mobile Products and Technology Services
  4. Organizational Characteristics
  5. External Threats
Screenshot from the FFIEC Cybersecurity Risk Assessment Tool PDF

As you can see in the image above, the CAT will provide you with a statement and then ask you to select from a list of options that classify you as having some amount of inherent risk. The CAT suggests a scoring model that basically equates to the following: Least (1 point), Minimal (2), Moderate (3), Significant (4), Most (5). These points are then averaged to produce an inherent risk score. Here is an example of the FSSCC’s interpretation of that scoring model.

Screenshot from the FSSCC’s Automated Cybersecurity Assessment Tool in Excel

The downside to this approach is that it doesn’t take into account the reality that some of the categories and risk areas present substantially more or less risk than others. It would be better to have risk areas being scored, not relative to their own In other words, a generic, linear, assignment of 1–5 points may not be a true reflection of the inherent risk.

some of the “areas of concern” present substantially more or less risk than others

Part 2: Assessing Cybersecurity Maturity

With your inherent risk level established, the CAT’s next step is to assess your Cybersecurity maturity across 494 “statements.” These statements are categorized by the various components that the FFIEC believes are critical aspects of security including things like asset management, governance, and 3rd party connections.

A screenshot of the Cybersecurity Maturity section of the CAT

The aim of this is to determine where your organization is across the following 5 maturity buckets (ranging from the least to the most mature): (i) baseline (ii) evolving (iii) intermediate (iv) advanced (v) innovative. As shown in the screenshot above, you will be presented with a category, in this case “Infrastructure Management” and then you will respond [Yes] or [No] if you have the prescribed controls in place.

This procedure will help you determine how the FFIEC views your organizational maturity, but it does not provide you with a reflection of how mature you are relative to your fellow banks — wouldn’t that be interesting?

So what would happen if you combined the CAT with modern technology?

tl;dr — you would have an online assessment platform that is collaborative, easy to use, insightful, and helpful… something like Whistic.

While the FFIEC’s CAT is a decent place to start, it is not easy to use, it is not collaborative, it doesn’t track your changes over time, and as we have observed in the software industry, if it’s not easy to use then people will only use it begrudgingly if REQUIRED to do so.

This is where Whistic steps in. Whistic built a platform that converts various standards, regulations, policies, or risk assessments into simple, online questionnaires. Because they are online, Whistic was able to build in collaboration tools, revision histories, and every other wonderful thing that spreadsheets could never do well — including industry benchmarking. Whistic has also drawn in the wisdom of crowds to create the world’s smartest risk scoring algorithm, enabling its customers to make rapid, accurate decisions backed by hundreds of other IT and security experts. All this expertise is being brought to bear on the FFIEC’s Cybersecurity Risk Assessment, enabling credit unions and banks to satisfy their examiners and regulatory burdens like never before.

To learn more, contact us at or visit us at

About Whistic

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes Whistic is the creator of the CrowdConfidence scoring algorithm that leverages the wisdom of crowds to assess the inherent and residual risks of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2015.

For more information about Whistic, visit:

Chief Product Officer @ Whistic