Key Takeaways
- The FFIEC CAT will be decommissioned on August 31, 2025.
- Alternative tools are available to help financial institutions understand and improve their security posture.
- The FFIEC has not endorsed another tool yet, but further guidance is anticipated this fall.
The Federal Financial Institutions Examination Council (FFIEC) recently announced the sunsetting of the FFIEC Cybersecurity Assessment Tool (CAT). The tool was created in 2015 to help institutions identify risks and determine overall cybersecurity preparedness.
While using the CAT is voluntary, assessing cybersecurity-related risks and overall maturity level is part of the FFIEC IT Handbook, and the CAT assists in complying with these requirements.
Here are the key points your financial institution needs to know:
Sunsetting of the FFIEC CAT
The FFIEC CAT will be decommissioned on August 31, 2025. This decision was made due to recent updates to United States national critical infrastructure government resources.
These updates include tools that can better assist financial institutions in determining their cybersecurity risks and maturity levels, such as:
Alternatives to the FFIEC CAT Tool
Financial institutions should consider utilizing the NIST CSF 2.0 or the CISA Cybersecurity Performance Goals as part of their cybersecurity self-assessment processes. Both tools help organizations identify cybersecurity risks.
-
Cybersecurity Framework 2.0
The NIST CSF 2.0, developed by the National Institute of Standards and Technology (NIST), helps organizations manage and identify cybersecurity risks. It provides a structured approach to identifying, protecting against, detecting, responding to, and recovering from cyber threats.
The NIST CSF 2.0 is an industry-agnostic tool that aligns with various regulatory requirements and assists organizations in measuring cybersecurity maturity.
-
CISA Cybersecurity Performance Goals (CPGs)
CISA CPGs help organizations focus on specific, broadly applicable cybersecurity threats. The CPGs offer a set of baseline controls that assist in benchmarking and improving overall cybersecurity maturity. These industry-agnostic controls focus on securing the United States’ critical infrastructure.
FFIEC's Endorsement of Self-Assessment Tools
The FFIEC emphasizes the importance of utilizing cybersecurity self-assessment tools in conjunction with overall IT risk assessment processes. While the FFIEC has not explicitly endorsed the NIST CSF or the CISA CPGs, it plans to provide further guidance during an online seminar this fall.
Next Steps for Your Organization
Here at Eide Bailly, we believe cybersecurity risk is business risk. Taking proactive measures to safeguard your assets and mitigate risks will help your financial institution thrive in a digital-first environment.
Both NIST CSF 2.0 and CISA CPG will aid your organization in strengthening its security posture. Which tool you decide to implement will depend on preference, industry-specific needs, and overall strategic alignment.
If you need help in determining the best tool — or would like to discuss your overall cybersecurity strategy — we can help.
Best Practices in Cybersecurity
Cybersecurity
Eide Bailly’s cybersecurity team provides guidance, strategic direction, and prioritization of business objectives and cyber risks.