The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) has long served as a cornerstone for financial institutions to evaluate and manage cybersecurity risks. Introduced in 2015, the tool was designed to help banks assess their cybersecurity preparedness, identify gaps, and align their security practices with their risk profiles. However, as the cyber threat landscape continues to evolve, the FFIEC announced its plans to sunset the CAT, transitioning institutions to newer frameworks and methodologies.  With the CAT’s end on the horizon, taking proactive steps to prepare for a smooth transition to a new cybersecurity framework is essential, and should start now.

For financial institutions, the end of the CAT era means finding a new way to structure cybersecurity assessments, meet regulatory requirements, and ensure robust protection against cyber threats.  However, waiting until the FFIEC officially retires the CAT can be risky.  Transitioning to a new cybersecurity framework takes time, and any delays may leave institutions unprepared or under scrutiny from regulators.  To replace the CAT, the FFIEC’s sunsetting document mentioned new government and industry developed resources that are better suited to the evolving cybersecurity landscape compared to the CAT.  These resources include the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals, as well as the Cyber Risk Institute’s (CRI) Cyber Profile 2.0, and the Center for Internet Security (CIS) Critical Security Controls.  The statement also included that CISA is preparing to release their Cybersecurity Performance Goals for the Financial Sector later this year.

This gives institutions several options to replace the CAT.  At infotex, we’re focusing on the CRI Profile v2.0 as it is based on NIST’s CSF 2.0, tailored to financial instructions, and is mapped to many other important frameworks such as the FFIEC’s Business Continuity Management booklet, Architecture, Infrastructure, and Operations booklets, and the CAT.  The Profile being mapped to the CAT means that a lot of work and understanding that was put into the CAT can be transferred to the new framework. 

Proactively selecting and implementing a new framework will allow your institution to tailor its approach to cybersecurity and choose a framework that fits its specific needs and risk profile.  It also provides a critical opportunity to implement the framework on your terms, rather than facing the risk of an examiner choosing one for you, which may not align well with your institution’s goals or resources.  Start thinking about this decision now.  In the cybersecurity realm, proactive planning is always preferable.  By transitioning on your own timeline and preparing your teams and systems for a new framework, you can ensure that your institution is not only compliant but also resilient in the face of the ever-evolving cybersecurity landscape.