Why the FFIEC CAT Isn’t Your Risk Assessment—And What To Do Instead

With the upcoming sunset of the FFIEC Cybersecurity Assessment Tool (CAT) in less than three months, community banks are beginning to get nervous about finding a replacement. One misconception that I’ve heard over the years is describing the CAT as a “risk assessment” or even “the risk assessment.” Let’s just set the record straight: the CAT was never built to measure risk, nor will its replacement (whatever model you choose). It’s a maturity model—a gap analysis that shines a light on how well your cybersecurity program is structured, not on the likelihood or impact of specific threats to the information you protect. While still helpful and even required for a community financial institution, it doesn’t dig deep enough to identify or remediate your biggest risks.

The Missing Piece: Asset‑Based Risk
Real risk management starts at the asset level. At Bedel Security, we use an Asset‑Threat‑Control (ATC) Matrix to map every asset, the threats it faces, and the controls that keep those threats in check. Yes, it’s detail‑heavy—thousands of data points at the intersections of assets, threats, and compensating controls—but auditors and examiners consistently tell us the clarity is worth the effort. And it delivers actionable, measurable tasks that directly reduce risk.

Five Steps to Build Your Own ATC Matrix

1. List & Group Assets. Document any system that contains or transmits information; combine assets with similar control profiles (e.g., workstations governed by the same Group Policy).
2. Identify Relevant Threats. Think ransomware, business‑email compromise, insider misuse—whatever is realistic for each asset group.
3. Rate Inherent Likelihood & Impact. Judge the asset before controls—how often could the threat hit, and how bad would it hurt?
4. Inventory Existing Controls. Note every safeguard that lowers the likelihood or impact of each threat: MFA, backups, vendor SLAs, and so on.
5. Determine Residual Risk & Prioritize. Re‑score each threat after controls, sort the highest residual risks, and build a remediation plan for the top 5–10.

Run the assessment at least annually, or sooner when new assets or material changes appear. The first pass is the heaviest lift, but once your matrix is built, maintaining it is easier with a proactive approach.

Why it Matters

An asset-based risk assessment pulls cybersecurity out of the clouds and down to the individual asset, showing—without ambiguity—where you’re exposed and what to do next. Instead of a 30,000‑foot gap analysis that says “review access controls,” the matrix tells you which customer interface lacks MFA, which application access needs stronger monitoring, and which server backup cadence leaves data at risk. That granularity turns an overwhelming problem into a punch‑list of actionable fixes you can assign, budget, and track. Just as important, it helps you to communicate to management, the board, and examiners with confidence: Here’s the exposure, here’s our plan, and here’s how we’ll measure success.

Struggling to get the process off the ground or keep it current? Our vCISO team specializes in ongoing risk management for community banks just like yours using our CySPOT™ platform. Let’s talk about how we can shoulder the heavy lifting so you can focus on serving your customers. Reach us at sales@bedelsecurity.com.