How Banks Can Best Prepare For Audits And Exams


Banks are a prime target for cybercriminals.

In fact, the typical financial services business in America gets attacked more than a billion times a year, according to PayPal CEO Dan Schulman.

That’s more than 7,600 threats every minute.

Compare that to the typical American business, which faces about 4 million attacks a year.  

This alarming trend is why banks must be regularly audited.


Use The Cybersecurity Assessment Tool (CAT)

One of the best ways banks can prepare for audits and exams is with the Cybersecurity Assessment Tool (CAT).

“In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness,” says the FFEIC.

The CAT looks at 500 cybersecurity components and helps banks assess the controls they have (or don’t have) in place.

One of the ways it does this is by helping security professionals understand cybersecurity maturity across five domains.


Understand The 5 Domains

The CAT categorizes controls across five domains:

  1. Cyber Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. External Dependency Management
  5. Cyber Incident Management and Resilience


Each domain looks at a number of assessment factors and components.

“Under each component,” the CAT tool says, “there are declarative statements describing an activity that supports the assessment factor at that level of maturity.”


Get Familiar With The 5 Maturity Levels

The CAT outlines five cybersecurity maturity levels, which ranges from the minimum expectations required by law to driving innovation within the industry.

Listed here are each maturity level along with an example of a control:

  1. Baseline - Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs.
  2. Evolving - At least annually, the board or an appropriate board committee reviews and approves the institution’s cybersecurity program.
  3. Intermediate - The board or an appropriate board committee has cybersecurity expertise or engages experts to assist with oversight responsibilities.
  4. Advanced - Industry-recognized cybersecurity standards are used as sources during the analysis of cybersecurity program gaps.
  5. Innovative - The board or an appropriate board committee discusses ways for management to develop cybersecurity improvements that may be adopted sector-wide.


Banks must first meet all Baseline levels before moving up in sophistication.


Work With An Outside Partner

To complete the complex CAT, banks may consider working with an outside partner.

After all, a study from Deloitte found that “companies with less mature security programs were more likely to externally source their cybersecurity functions or personnel.”

Whether you complete the CAT internally or work with a partner, the tool is a great way to help your financial institution prepare for audits and exams.

Free Banking Security Checklist