Introduction

The Federal Financial Institution Examination Council (FFIEC) will be sunsetting the Cybersecurity Assessment Tool (CAT) as of August 31, 2025. This decision was made due to new and updated government and industry resources that have been deemed more effective in managing cybersecurity risks.

History

The FFIEC CAT was released in June 2015 for financial institutions to perform a self-assessment to determine their cybersecurity risks and preparedness. Organizations who completed the CAT received a cybersecurity maturity score in comparison to other financial institutions of their asset size and complexity. The CAT was always a voluntary self-assessment tool for banks and credit unions, but was highly recommended by the FFIEC over the past decade. The results were often used to assist with prioritizing cybersecurity spending and risk management activities.

New Guidance

With updates to cybersecurity guidance and regulations, the FFIEC made the decision not to update the CAT to meet these new standards. The new guidance and regulations include:

NIST CSF 2.0

The National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework (CSF) 2.0 update in February 2024 to improve upon it’s guidance for organizations to manage cybersecurity risk. This is the largest update to NIST CSF since it’s original release in 2014.

Previously, NIST was split into 5 Pillars that provide a foundation for cybersecurity programs: Identify, Protect, Detect, Respond, and Recover. NIST 2.0 introduces a sixth pillar: Govern. The information included here isn’t really new – there was always governing guidance around roles and responsibilities, but was split between the original 5 pillars. With how important the governance side of cybersecurity risk has become, NIST decided to add this as a core function of cybersecurity management.

NIST CSF 2.0 also includes increased focus on supply chain risk management, improvements to the Respond and Recover pillars, and more specific language on how risks should be addressed. The goal with this update was to make the guidelines more clear and more industry-agnostic.

You can read more about the NIST CSF 2.0 update here: https://nvlpubs.nist.gov/nistp...

CISA Cybersecurity Performance Goals for the Financial Sector

The Cybersecurity and Infrastructure Security Agency (CISA) published their Cybersecurity Performance Goals (CPGs) in October 2022. The CPGs were designed to be voluntary, actionable business practices to measure and mitigate cyber threats. These practices are structured in alignment with NIST’s foundational pillars.

In July 2023, CISA began development of Sector-Specific Goals (SSGs) to provide additional guidance for certain industries. CISA identified 16 sectors with carrying needs to develop SSGs for, including Financial Services, IT, Energy, Healthcare, Education, and more. The accomplish this, they have and will continue to engage with sector stakeholders to determine the best guidance for each sector. This is an ongoing initiative.

CISA is currently in the process of updating their CPGs based on the NIST 2.0 update, discussed above.

CRI’s Cyber Profile

The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. Their Cyber Profile is a cyber risk assessment framework based on NIST CSF, meant to be used as a benchmark for cybersecurity and resiliency in the financial services industry. Financial institutions can download and fill out the Impact Questionnaire to determine the areas of the framework that apply to them.

You can check out CRI’s Cyber Profile here: https://cyberriskinstitute.org/the-profile/

CIS Critical Security Controls

The Center for Information Security (CIS) is a nonprofit organization focused on improving the cybersecurity of businesses – most widely recognized for their Critical Security Controls. These control sets, updated annually, include the highest priority security concerns with practical guidance for managing them.

CIS organized their Critical Security Controls into three Implementation Groups (IGs). IG1 is designed to be a baseline for cybersecurity resiliency, while IG2 and IG3 build on that foundation for more complex and security minded organizations. In general, IG1 is considered the starting point for any organization looking to use the CIS Critical Security Controls in their cybersecurity program.

You can read more about the CIS Critical Security Controls and their accompanying audits here: https://www.tracesecurity.com/blog/articles/cis-critical-security-control-audits

What’s Next

Moving forward, the FFIEC is recommending for financial institutions to refer directly to these new resources for cybersecurity risk guidance.

The FFIEC does not endorse any specific tools, but recognizes that they are great resources for financial institutions to perform self-assessment activities. As a reminder, these tools are not examination programs and may not align directly with the FFIEC’s risk-focused examination procedures.

Read the official FFIEC Release here: https://www.ffiec.gov/press/pdf/CAT_Sunset_Statement_FFIEC_Letterhead.pdf

Marissa Adams, Compliance Analyst

Marissa leads the cybersecurity compliance research at TraceSecurity. With new regulations being imposed every year, she spends time looking into the annual updates and requirements set forth by federal and state regulatory bodies. Her goal is to take these regulations and make them both understandable and actionable for all types of organizations.