FFIEC Cybersecurity Assessment Tool

October 18, 2016

FFIEC Cybersecurity Assessment Tool

Frequently Asked Questions

Printable Format:

FIL-68-2016 – PDF (PDF Help)


The Federal Financial Institutions Examination Council (FFIEC) issued a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (CAT).

Statement of Applicability to Institutions with Less than $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-supervised institutions.


  • The FFIEC published the Cybersecurity Assessment Tool in June of 2015 as a voluntary tool to help financial institutions’ management identify risk and determine their cybersecurity preparedness.
  • The CAT provides a repeatable and measurable process that financial institutions may use to measure their cybersecurity preparedness over time.
  • Use of the tool is voluntary. Financial institution management may choose to use the CAT or another framework, or another risk assessment process to identify inherent risk and cybersecurity preparedness.
  • The FAQs clarify points in the CAT and supporting materials based on questions received by the FFIEC members over the course of the last year.
  • Financial institution management primarily is responsible for assessing and mitigating their institution’s cybersecurity risk, including risks from services provided by third-parties. Financial institutions may find the latest information about cyber security risk management at the FFIEC Cybersecurity Awareness website.

Leave a comment

Your email address will not be published. Required fields are marked *