Alert

FFIEC to Sunset Cybersecurity Assessment Tool

September 17, 2024
woman using computer

Key Takeaways

  • The FFIEC CAT will be decommissioned on August 31, 2025.
  • Alternative tools are available to help financial institutions understand and improve their security posture.
  • The FFIEC has not endorsed another tool yet, but further guidance is anticipated this fall.

The Federal Financial Institutions Examination Council (FFIEC) recently announced the sunsetting of the FFIEC Cybersecurity Assessment Tool (CAT). The tool was created in 2015 to help institutions identify risks and determine overall cybersecurity preparedness.

While using the CAT is voluntary, assessing cybersecurity-related risks and overall maturity level is part of the FFIEC IT Handbook, and the CAT assists in complying with these requirements.

Here are the key points your financial institution needs to know:

Sunsetting of the FFIEC CAT

The FFIEC CAT will be decommissioned on August 31, 2025. This decision was made due to recent updates to United States national critical infrastructure government resources.

These updates include tools that can better assist financial institutions in determining their cybersecurity risks and maturity levels, such as:

Alternatives to the FFIEC CAT Tool

Financial institutions should consider utilizing the NIST CSF 2.0 or the CISA Cybersecurity Performance Goals as part of their cybersecurity self-assessment processes. Both tools help organizations identify cybersecurity risks.

  • Cybersecurity Framework 2.0

    The NIST CSF 2.0, developed by the National Institute of Standards and Technology (NIST), helps organizations manage and identify cybersecurity risks. It provides a structured approach to identifying, protecting against, detecting, responding to, and recovering from cyber threats.

    The NIST CSF 2.0 is an industry-agnostic tool that aligns with various regulatory requirements and assists organizations in measuring cybersecurity maturity.

  • CISA Cybersecurity Performance Goals (CPGs)

    CISA CPGs help organizations focus on specific, broadly applicable cybersecurity threats. The CPGs offer a set of baseline controls that assist in benchmarking and improving overall cybersecurity maturity. These industry-agnostic controls focus on securing the United States’ critical infrastructure.

FFIEC's Endorsement of Self-Assessment Tools

The FFIEC emphasizes the importance of utilizing cybersecurity self-assessment tools in conjunction with overall IT risk assessment processes. While the FFIEC has not explicitly endorsed the NIST CSF or the CISA CPGs, it plans to provide further guidance during an online seminar this fall.

Next Steps for Your Organization

Here at Eide Bailly, we believe cybersecurity risk is business risk. Taking proactive measures to safeguard your assets and mitigate risks will help your financial institution thrive in a digital-first environment.

Both NIST CSF 2.0 and CISA CPG will aid your organization in strengthening its security posture. Which tool you decide to implement will depend on preference, industry-specific needs, and overall strategic alignment.

If you need help in determining the best tool — or would like to discuss your overall cybersecurity strategy — we can help.

Expand Full Article

Best Practices in Cybersecurity

Discover the five stages of cybersecurity and how to create a culture of security in your organization.
Download the e-Book

About the Author(s)

Eric Pulse

Eric A. Pulse, CISA, CISM, CRISC, CCSFP, CFSA

Principal/Risk Advisory Practice Leader
Eric joined Eide Bailly in 2013 and has over 25 years of experience in public accounting and consulting. He leads Eide Bailly’s Risk Advisory Services practice and specializes in providing information technology, risk advisory and cybersecurity consulting services to a variety of industries, including banking, credit unions, healthcare, insurance, retail, manufacturing and governments. He advises Eide Bailly clients on how to keep their valuable data secure in a world of increasingly sophisticated cyber threats. With his many years of experience, Eric has become a true thought leader in the culture of cybersecurity.