On August 29th, the Federal Financial Institutions Examination Council (FFIEC) officially announced the sunsetting of the Cybersecurity Assessment Tool (CAT).  The CAT, introduced by the FFIEC in 2015, has served as a critical framework for financial institutions to assess their cybersecurity readiness. The tool provided a structured approach for institutions to measure their cybersecurity preparedness against evolving threats, based on factors like size, complexity, and risk profile. However, with the rapidly changing cybersecurity landscape and emerging new standards, the FFIEC CAT is being phased out, leaving institutions in need of a suitable replacement.

While the sunset date is still about a year away (August 31, 2025), it is now time to start thinking about how you will respond, and what will replace the CAT.  It is still important to use a defined cybersecurity framework to address cybersecurity risk, but the FFIEC has not announced a replacement framework. And while transitioning away from the FFIEC CAT may seem daunting, there are several well-established alternatives such as the Cyber Risk Institute (CRI) Profile 2.0 that can help financial institutions build or maintain a strong cybersecurity framework.

In fact, the FFIEC mentioned the CRI Profile in their sunsetting statement “Supervised financial institutions may also consider use of industry developed resources, such as the CRI Cyber Profile, and the Center for Internet Security Critical Security Controls. These tools can be used in conjunction with other resources (e.g., frameworks, standards, guidelines, leading practices) to better address and inform management of continuously evolving cyber security risk.  Supervised financial institutions should ensure that any self-assessment tool(s) they utilize support an effective control environment and are commensurate with their risk.”

So, with the sunsetting of the CAT, it is time to start thinking about what framework will replace it.  While the sunsetting of the CAT marks the end of an era, it also presents an opportunity for financial institutions to modernize their cybersecurity programs.  We should not wait until our next exam for examiners to push us in the right direction, as with cybersecurity it is always important to get out in front of changes.  The following alternative approaches are what we see most community banks will be considering:

• Do nothing
• NIST CSF
• CRI Profile (NIST CSF for FIs)
• CIS Controls: We tried this and found it to be a) not a framework and b) too narrow, but since the FFIEC included it in their press release, it should be considered.
• An Enhanced CAT, which is based on this spreadsheet, which is the NIST 2.0 Generic Implementation filtered to questions where banks are NOT currently being audited. You can also sort this by the team who needs to answer the question (usually).

Beyond the above, there are many different public tools that could be considered.  Here is an analysis of 21 of those tools we conducted as part of Dan’s May 2024 talk that predicted what we’re experiencing right now.

In 2024, infotex switched from the CIS Controls to the CRI Profile and was able to get through Tier 4 of the assessment with 2.1 hours of time beyond 80 minutes spread over four standing management team meetings.  (or a total 400 minutes with a five person MTM.)  In other words, we made it through the level most community banks will utilize in 8.7 total man-hours.