The Cybersecurity Assessment Tool (CAT) has been a pillar of risk assessment for financial institutions since June 2015, so when the Federal Financial Institutions Examination Council (FFIEC) announced CAT would sunset on August 31, 2025, many banks were caught off guard.

With the rise of cyber threats, use of AI by bad actors, and more sophisticated cyberattacks, it’s even more imperative for financial institutions to align with a recognized framework and strengthen defenses now.  The FFIEC has since decided to lean on existing cybersecurity frameworks.

It’s now up to each financial institution to choose which framework works best for their individual needs, capabilities, and risk appetite, and implement it prior to your next regulatory exam. Regulators will no longer accept CAT as your organizational cyber risk assessment or framework after August 31, 2025.

Four Generally Accepted Frameworks

  • NIST 2.0
    • Part of the U.S. Department of Commerce, NIST developed its Cybersecurity Framework to help organizations identify, assess, and manage cyber risks. Widely adopted by businesses, government entities, and other sectors, the framework outlines 134 detailed outcomes to guide robust cyber risk management.

 

  • Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals (CPGs)
    • CISA developed the CPGs as a targeted set of cybersecurity practices to help reduce risks to critical infrastructure and the public. They were shaped through extensive input from industry, government, and other experts. Financial Services Sector-Specific Goals are expected to be released soon. However, the use of non-sector specific goals in the meantime is sufficient. This framework provides a high-level breakdown of control categories with 38 security practices, categorized by cost, impact, and complexity.

 

  • Cyber Risk Institute (CRI) Profile 2.0
    • CRI is a not-for-profit coalition of financial institutions and trade associations. They created the Cyber Profile as a global benchmark for assessing cyber risk, featuring assessment questions aligned with international regulations and standards such as those from International Organization for Standardization and NIST. Version 2.0 uses a four-tier maturity model, with most institutions starting in the lowest tier, which contains 208 diagnostic statements.

 

  • Center for Internet Security (CIS) Critical Security Controls
    • CIS is an independent, nonprofit organization which developed the Critical Security Controls (CIS Controls) as a prescriptive, prioritized, and simplified set of cybersecurity posture best practices. This framework focuses on implementation maturity. There are three implementation groups which facilitate the initial implementation and further growth. Similar to CAT, this framework provides several tiers of controls for implementation.

Tips for Transitioning Post-CAT

  • Download and retain CAT materials now. You can continue using CAT methodologies even after August 31, 2025, but the official materials will be removed from the FFIEC website. Save the latest version and supplement it with current cybersecurity risks.
  • Consider multiple framework alignment. Regulators may ask about controls outside your selected framework. While not required, aligning with more than one framework can strengthen your overall posture.
  • Start early. Waiting until your next exam cycle to adopt a framework increases your risk of rushed or incomplete implementation.
  • Leverage your existing CAT work. Map your CAT controls to your new framework to speed implementation.
  • Engage leadership. Secure board and executive buy-in early to ensure resourcing and policy alignment.
  • Document thoroughly. Record your chosen framework in board minutes and policies, along with implementation steps and timelines.
  • Train your teams. Ensure staff understand changes in processes, reporting, and controls.
  • Benchmark with peers. Connect with local institutions to share lessons learned and compare approaches.

Additional Resources

  • NIST Resources
    o Catalog: https://csrc.nist.gov/projects/olir/informative-reference-catalog#/
    o CSF 2.0 Resources: https://www.nist.gov/cyberframework/informative-references
    o CSF 2.0 Quick Start Guides: https://www.nist.gov/cyberframework/quick-start-guides                                                                                                                                                           
  • UpGuard.com Resources for NIST CSF 2.0, questionnaire and risk assessment templates                                          
    o https://www.upguard.com/templates/nist-csf-risk-assessment                                                                                                                                                                                                
  • Independently developed resource to track NIST 2.0 implementation maturity
    o https://johnmasserini.com/2024/03/04/updated-nist-csf-tool-released/                                                                                                                                                                                                                                                        
  • CRI Cyber Profile                              
    o https://cyberriskinstitute.org/the-profile/                                                                                                                                                                                                                                  
  • CIS Critical Security Controls 
    o https://www.cisecurity.org/controls                                                                                                                                                                                                                                            
  • CISA Cross-Sector Performance Goals
    o https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

The CAT sunset is fast approaching, and regulatory exams won’t wait. Contact a Pinion financial institution advisor to assess your options, select the right framework, and implement it smoothly. The sooner you start, the stronger your defenses will be when CAT officially sunsets on August 31, 2025.