IT Examiner School

Report to the Board Cyber Assessment Tool (CAT)

Management conducted an evaluation of the bank’s cyber event protective efforts in conjunction with the bank’s auditors. The review was initiated on May 1, 20XX, in conjunction with the risk assessment and results are dated as of May 26, 20XX. This included all pertinent aspects of the five domains and the overall results are listed below:

Domain

Results Baseline Baseline Baseline Baseline Baseline

Domain 1- Cyber Risk Management & Oversight Domain 2- Threat Intelligence & Collaboration

Domain 3- Cybersecurity Controls

Domain 4- External Dependency Management Domain 5- Cyber Incident Management and Resilience

Domain 1 Overall, management has established appropriate governance structure for the size and complexity of the institution. Risk management processes are performed annually and provide reasonable assurances that the institution is adequately protected. Senior management and the Board have provided sufficient funds to ensure the necessary safeguards are in place and afford reasonable protection against cyber threats. The institution has established a training program for all employees, which include the directors. Domain 2 The institution receives weekly reports from its MSSP that provides fairly detailed information regarding threat intelligence. The monitoring and analysis performed by the MSSP appears satisfactory and covers the most likely threats to the institution. Management also recently subscribed to FS-ISAC to obtain additional cyber related information. Domain 3 A review of the network controls shows adequate preventative, detective, and corrective controls. The most recent vulnerability and penetration tests indicated the MSSP has implemented appropriate controls throughout the network. Domain 4 The institution is predominantly reliant on its MSSP to ensure the internal and external networks have secure connections when information and transactions are flowing through the systems. Senior management does review their relationship with the MSSP to ensure they provide the appropriate services. It appears the MSSP has provided the most recent topology map that shows all the key connectivity.