The Board Meeting That Prompted This Post
Last fall, a credit union board member in Dutchess County pulled me aside after a quarterly meeting. The institution had just completed its FFIEC Cybersecurity Assessment Tool review, and the results had been presented in a single slide: a colored grid showing "Evolving" maturity across most domains against a "Least" inherent risk profile. The board accepted the results and moved on in under three minutes.
The board member's question was simple: "We're at evolving. Is that good or bad?" She had no frame of reference. Nobody in the room could explain whether "Evolving" maturity was the minimum acceptable level, a comfortable middle ground, or a sign that the credit union was falling behind. That disconnect, between completing the assessment and actually understanding it, is something I see repeatedly at smaller institutions throughout the Hudson Valley, from Newburgh to Kingston to Poughkeepsie.
This post is the explanation that board member deserved. If you sit on the board of a credit union or community bank in our region, or if you manage IT at one and need to translate CAT results for non-technical stakeholders, this is written for you.
What the FFIEC CAT Actually Measures
The FFIEC Cybersecurity Assessment Tool is a structured self-assessment published by the Federal Financial Institutions Examination Council. It is not a regulation, and there is no statutory penalty for failing to complete it. But every NCUA and state examiner in the region uses it as a baseline reference, and if your institution has not completed it, that gap itself becomes a finding. In practice, the CAT is as close to mandatory as a voluntary tool gets.
The assessment has two sides. The first measures your inherent risk profile. The second measures your cybersecurity maturity. The entire point is to determine whether your maturity level is appropriate for the risk your institution carries. A tiny credit union with no mobile banking and 2,000 members has different risk than a community bank running a full digital platform with commercial ACH origination. The CAT accounts for that difference.
The Inherent Risk Profile
The inherent risk side evaluates your institution across five categories: Technologies and Connection Types, Delivery Channels, Online and Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Each category contains questions about the volume and complexity of your operations. Do you offer person-to-person payments? How many direct internet connections does your institution maintain? Do you host your own servers or rely on a service provider?
Your answers produce a risk level for each category: Least, Minimal, Moderate, Significant, or Most. For most Hudson Valley credit unions with assets under $500 million and a standard digital banking suite through a core processor like Symitar, Corelation, or DNA, the overall profile tends to land at Least or Minimal. Community banks running commercial treasury management platforms often land at Moderate. The level matters because it sets the floor for what your maturity needs to look like.
The Cybersecurity Maturity Side
The maturity side evaluates five domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Each domain has five maturity levels: Baseline, Evolving, Intermediate, Advanced, and Innovative.
Here is where the confusion starts. "Baseline" does not mean "good enough." Baseline is the minimum set of practices every regulated financial institution should have in place regardless of size. If your institution is at Baseline, you are meeting the floor and nothing more. "Evolving" means you have moved beyond the minimum and are developing more formalized, repeatable processes. "Intermediate" means those processes are well-documented, consistently applied, and validated. "Advanced" and "Innovative" are aspirational levels most community institutions will never need to reach.
Reading the Heatmap
The CAT produces a heatmap that maps your inherent risk level against your maturity level. The FFIEC provides a matrix showing which combinations are acceptable and which represent a gap. For an institution at Least inherent risk, Baseline maturity falls in the acceptable range. For an institution at Moderate risk, Baseline maturity shows a gap examiners will flag.
Think of it as a two-axis chart. The horizontal axis is your inherent risk, Least on the left to Most on the right. The vertical axis is your maturity, Baseline at the bottom to Innovative at the top. A diagonal from lower-left to upper-right is your target. If your maturity sits on or above that diagonal for your risk level, you are aligned. If it sits below, you have a gap.
For a Dutchess County credit union at Least inherent risk, the minimum target is Baseline. For an Ulster County community bank at Moderate inherent risk, the target is Evolving to Intermediate depending on the domain. The heatmap is not pass-fail. It is a conversation starter between your institution and your examiner, but one you need to be prepared for with documentation.
Domain by Domain: Evolving vs. Intermediate in Practice
Understanding the practical difference between Evolving and Intermediate is the most common gap I encounter at institutions in our region. Here is what each level looks like in day-to-day operations across the five domains.
Cyber Risk Management and Oversight
At Evolving, your institution has a board-approved cybersecurity strategy. The board receives regular updates on cyber risk, and someone has been designated as responsible for cybersecurity oversight. Risk assessments are performed, but they may not follow a formal, repeatable methodology.
At Intermediate maturity, the cybersecurity strategy is integrated into enterprise risk management. The board does not just receive updates; board members ask informed questions and document their oversight in minutes. Risk assessments follow a defined methodology, run on a set schedule, and feed directly into budget decisions. There is a clear escalation path from the person managing daily operations to the board, with defined thresholds for what triggers escalation.
Threat Intelligence and Collaboration
At Evolving, your institution receives threat intelligence from at least one source, typically FS-ISAC or alerts from your core processor, and someone reviews it regularly. You may share information informally with peer institutions or through your state league.
At Intermediate, threat intelligence is actively used to adjust controls. When FS-ISAC issues an alert about a phishing campaign targeting credit unions, your team has a documented process for evaluating exposure and determining specific actions. Information sharing is formalized and tracked.
Cybersecurity Controls
At Evolving, you have implemented controls beyond the regulatory minimum. Multi-factor authentication is in place for remote access. Patching happens on a defined schedule. You conduct vulnerability scans and address findings. Access reviews are performed at least annually.
At Intermediate, those controls are validated through independent testing. Penetration testing occurs at least annually and covers both external and internal vectors. Access management follows a defined lifecycle: provisioning, modification, de-provisioning, and recertification are all documented. Network segmentation exists and is tested. Encryption covers data at rest and in transit, and key management follows a documented process.
External Dependency Management
For Hudson Valley credit unions that rely on service providers for core processing, digital banking, and often IT management itself, this domain is where the most practical risk lives. At Evolving, your institution maintains a list of critical third-party providers and has reviewed their SOC 2 reports. Contracts include security requirements, and you have a basic understanding of fourth-party exposure.
At Intermediate, vendor management is a formal program. SOC 2 reports are not just collected but analyzed, with complementary user entity controls mapped to your own internal controls. Business continuity plans account for the loss of a critical vendor, and you have tested that scenario, not just documented it. Given that many institutions in our area share the same handful of core processors and digital banking platforms, this domain deserves particular attention because a vendor-level failure affects the entire region simultaneously.
Cyber Incident Management and Resilience
At Evolving, you have an incident response plan that defines roles, communication protocols, and escalation procedures. The plan has been reviewed within the past year, and staff know it exists.
At Intermediate, the plan has been tested through tabletop exercises. Staff have practiced their roles. The plan includes playbooks for common scenarios: ransomware, business email compromise, a compromised vendor, a data breach requiring member notification under New York's SHIELD Act. Recovery time objectives are defined for critical systems, and backups are tested against those objectives. Post-incident lessons learned are incorporated into the plan.
A Realistic Roadmap: Baseline to Evolving to Intermediate
If your institution is sitting at Baseline and your board wants to see progress, the path forward does not require a massive budget. It requires deliberate, documented effort over twelve to eighteen months.
During the first six months, focus on the documentation and governance gaps that separate Baseline from Evolving. Write or update your cybersecurity strategy and get board approval. Establish a regular cadence for reporting cyber risk to the board. Subscribe to FS-ISAC if you have not already. Formalize your vendor management process: build the list, collect the SOC reports, and assign someone to review them. Update your incident response plan and make sure every employee with a role in it knows that role.
During months six through twelve, begin the operational work that moves you toward Intermediate. Conduct a tabletop exercise for your incident response plan. Engage a firm for a penetration test that goes beyond the automated external scan your auditor may already run. Implement a formal access review process tied to your HR onboarding and offboarding workflows. Begin mapping your vendors' complementary user entity controls to your own environment.
During months twelve through eighteen, validate and refine. Repeat the tabletop with a different scenario. Verify that penetration test findings were fully remediated. Confirm that your vendor management program has been followed consistently. Present a year-over-year comparison to the board showing where maturity has improved and where work remains.
The Evidence Pack: What to Prepare for Examiners
Completing the CAT is only half the work. Presenting it to examiners in a way that demonstrates genuine understanding is what separates a smooth exam from a contentious one. The following table outlines the documentation you should have organized before your next examination.
| Document | Purpose | Update Frequency | Owner |
|---|---|---|---|
| Completed CAT workbook with supporting notes | Demonstrates how each maturity statement was evaluated; notes explain the reasoning behind each "Yes," "Yes (Compensating)," or "No" answer | Annually, or when significant changes occur to products, services, or technology | Information Security Officer or designated cybersecurity lead |
| Board-approved cybersecurity strategy | Shows that cyber risk governance exists at the highest level; examiners will verify the approval date and board resolution | Annually reviewed; updated as needed | CEO with board approval |
| Board meeting minutes referencing cyber risk | Proves ongoing board engagement, not just annual approval; examiners look for evidence of questions asked and decisions made | Each board meeting where cybersecurity is discussed | Board secretary |
| Cybersecurity risk assessment | Identifies and prioritizes threats specific to your institution; should map to the CAT's inherent risk categories | Annually | Information Security Officer |
| Incident response plan with tabletop exercise results | Demonstrates that the plan is tested, not just written; exercise after-action reports show what was learned and changed | Plan reviewed annually; exercises conducted at least annually | Information Security Officer |
| Vendor management program documentation | Includes critical vendor inventory, SOC 2 report reviews, contract security provisions, and fourth-party risk assessment | Ongoing; SOC reports reviewed upon receipt | Vendor management coordinator or compliance officer |
| Penetration test and vulnerability assessment reports | Shows independent validation of controls; remediation tracking demonstrates follow-through | Penetration test annually; vulnerability scans quarterly or continuous | Information Security Officer |
| Maturity improvement roadmap | A one-page document showing current maturity, target maturity, and planned milestones; examiners want to see intentional progress, not perfection | Updated quarterly | Information Security Officer with board acknowledgment |
| Examiner discussion prep sheet | Internal document summarizing known gaps, compensating controls, and planned remediation timelines; ensures consistent answers during the exam | Before each examination cycle | Information Security Officer and CEO |
How the CAT Feeds Into Your Exam
NCUA examiners and state banking examiners in New York do not grade the CAT like a test. They use it as a structured conversation guide. When an examiner sits down with your team, they will walk through the CAT domain by domain, asking you to explain why you rated yourself at a particular level. The friction happens when an institution rates itself at Evolving but cannot produce documentation to support that rating.
The best approach is honest self-assessment with clear documentation of gaps. If you are at Baseline in Cyber Incident Management because you have not yet conducted a tabletop exercise, say that, and show the examiner your plan and timeline for conducting one. Examiners respond well to institutions that understand their gaps and have a credible plan. They respond poorly to institutions that inflate their maturity ratings.
For community institutions in the Hudson Valley, there is an additional dynamic worth noting. Examiners assigned to our region see the same core processors and managed IT providers across dozens of institutions. They know what controls those vendors provide and what your institution is responsible for. If your vendor management program does not demonstrate an understanding of shared responsibility with your core processor, that gap will surface quickly.
The CAT is not going away, and expectations for how institutions use it continue to increase. Treating it as a strategic planning tool rather than an annual compliance task gives your institution a genuine advantage, both with examiners and with the actual security outcomes the tool is designed to improve.