The Federal Financial Institutions Examination Council (FFIEC) recently made an announcement that they will stop making updates to the Cybersecurity Assessment Tool (CAT) and sunset the tool, effective August 31, 2025. The decision comes at a time when the cybersecurity landscape for financial institutions is rapidly evolving and receiving an increase in sophisticated threats. The FFIEC will instead provide updated resources that financial institutions can use to better manage cybersecurity risks.
Institutions that have relied on the CAT are advised to download and save a copy before this date if they wish to continue using it as a reference point. After August 31st, it will no longer be updated to reflect new government resources, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals.
The Role of the CAT in Cybersecurity Risk Management
For many banks, the CAT has been the cornerstone of their risk assessment process. Thankfully you can continue to rely on the methodologies contained in the tool, such as those for identifying and categorizing inherent risks and cybersecurity maturity.
This is not a call to rebuild your risk assessment from the ground up. The tool will simply not include every risk area you should be assessing. Instead of viewing the CAT as an exhaustive checklist for every risk area in your assessment process, use it as a starting point and a helpful guide.
Moving Forward Without the CAT
The FFIEC has determined some helpful resources for banks as they contemplate their risk assessment process going forward, though they are not formally endorsing any alternatives to the CAT. Banks should begin familiarizing themselves with these resources, if they have not already, and begin implementing updates to their risk assessments now.
Support and Resources
The FFIEC recently held a webinar to discuss the previously mentioned resources and ways to integrate them into your current security frameworks.
For personalized guidance during this transition, Pinion’s team remains on hand to assist with adapting your risk assessment processes to align with the latest standards and best practices.
For more detailed information, you can access the FFIEC’s formal statement on this topic, here.
