FFIEC Cybersecurity Assessment Tool

Watkins Consulting designed an Excel-based workbook to simplify the record keeping of responses and to calculate corresponding scores for the FFIEC Cybersecurity Assessment. We are pleased to offer a free download of this Excel workbook. Upon downloading and deciding to use this tool, please register it so we can send you update notices. If you need help expanding this assessment into governance or need help with cybersecurity compliance efforts, please contact us at [email protected]

Download Excel Workbook

Download User Guide

Additional download information is below.

Background

In June 2015, the Federal Financial Institutions Examination Council (FFIEC) published a Cybersecurity Assessment Tool (CAT) to help financial institutions identify and evaluate their cybersecurity risk awareness and readiness; click here to view their web page describing this tool. The tool consists of an extensive set of questions designed to evaluate the cybersecurity risk of a Financial Institution. In 2017 the FFIEC made some minor adjustments to the tool.

The FFIEC published the CAT to encourage consistent analysis, evaluation, and examination of cybersecurity risks inherent in US Financial Institutions. The Tool leverages industry standards, guidelines and best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF, see our post on this), to help organizations better manage, evaluate, and reduce cybersecurity risk. The FFIEC has added an additional metric to the NIST CSF by considering the maturity cycle of an institution and its products and services, thereby aligning cybersecurity maturity to cyber risk—or, the greater the cyber risk, the greater the need for mature cybersecurity. Watkins has also published a short video containing a background description and a worked example using the CAT; click here to view that post.

The CAT was published in a static PDF format; therefore, in order to assist our clients Watkins has derived an equivalent Excel-based workbook that automates the tracking and scoring of an institution’s maturity levels and risk profile. Upon completion, this workbook will provide a snapshot of a Financial Institution’s cyber readiness and exposure. And, a series of workbooks over time will document cyber risk remediation efforts.

An immediate benefit is that our clients and contacts can download and use the FFIEC CAT Excel workbook. It is our hope that this tool will reduce the level of clerical work involved, allowing you to immediately engage in the important work of effective cybersecurity governance. Watkins is offering this tool for your use free of charge; however, we do recommend that you register your tool so that you can receive version updates as they become available. We recommend that you let us know that you are using the Excel workbook by sending us an email.

The purpose of this tool is to record responses and calculate corresponding scores. Should your institution require further explanation of results or interpretation of the FFIEC Cybersecurity Assessment requirements, please contact us at [email protected] or (888) 230-3032.

Download Information

The Excel file is a macro-free file and uses latest Excel Microsoft Office Open XML Format which does not allow for macros. The file size is 512,098 bytes and the SHA-1 checksum is C0D3A8EBEC36F9070EBEDB0257BC082650AD437B.

The Excel file can be downloaded from this link: FFIEC Cyber Assessment Tool.xlsx (version 3.4.2).
The user guide can be downloaded from this link: Watkins FFIEC CAT Excel User Guide . Its SHA-1 checksum is 16D9BA809779531865692B7BFD894E7A4F454233.
A video containing background information and a worked example: Video review post.

Free Excel Cybersecurity Assessment Tool Change Log

Version (link)	Change	SHA-1
3.4.2 (link)	Unlocked improperly locked input cells	`C0D3A8EBEC36F9070EBEDB0257BC082650AD437B`
3.4.1	Allows for easier cell formatting, corrected typos, correct user guide link	`9FDD75D417BF0DEF7DAA56BAED5AE21BD92C599F`
3.3.1 (link)	Adds Appendix A, table of contents tab, user defined worksheet, warning message for component marked as N/A, cleaned up pivot reports, and a switch to hide registration link	`421E68579EB72673E74F87A9BE699A36043D3594`
2.1 (link)	Updates useful links to point to updated handbook location on the web.	`47B15DEE606CF514C5EF5DC9BD100C6F0CB3C706`
2.00 (link)	Includes for FFIEC 2017 update; broke up Risk Management/Training and Culture/Culture/Evolving declarative statements	`703B7EA7AC13CA4D419A0BBEF7C9DBAEAE9BFED2`
1.02 (link)	Unlocked data input; added maturity heat map	`0bc71b7153f6d83b83534a0fcb1054b7e05cafdb`
1.01	Initial public release	`2430acfd22e04c0e49f568af58642dab809d373f`

29,468 total views, 7 views today

Tags: Banking, cybersecurity, internal controls, regulatory compliance