The FFIEC Cybersecurity Assessment Tool (CAT) has been a critical resource for financial institutions to assess their cybersecurity preparedness. However, with the upcoming phase-out of the CAT on August 31, 2025, financial institutions must prepare to adopt a new framework to maintain effective cybersecurity risk management. In this article, we’ll review the intentions of the CAT, key dates to be aware of, and explore viable alternatives for future assessments. 

The FFIEC CAT was first introduced to help financial institutions benchmark their cybersecurity posture, create a path for continuous cybersecurity improvement and provide evidence for audits and examinations. Despite these benefits, the CAT presented several challenges, particularly for smaller institutions. With 494 declarative statements, scaling it for all sizes of financial institutions proved difficult, leading to the decision to phase it out. 

Exploring Viable Alternatives 

The announcement from the FFIEC on August 29, 2024, provided examples of several frameworks and tools that are available to replace the CAT. Each option offers unique benefits, depending on the size and complexity of the institution. It will be important for financial institutions to select a cybersecurity risk management framework that aligns with its size and complexity and achieves the benefits required from its cybersecurity goals. Here, we briefly discuss the frameworks to give financial institutions a starting point for selecting the appropriate one. 

1. NIST Cybersecurity Framework 2.0 

The NIST Cybersecurity Framework 2.0 includes six core functions (Govern, Identify, Protect, Detect, Respond, and Recover) making it a comprehensive option for managing cybersecurity risks. It’s widely recognized as the gold standard in risk management, and adaptable to financial institutions of various sizes. NIST CSF 2.0 can be used as a maturity model using a four-tiered system, providing a path to improving cyber maturity over time. The framework, however, is large and could prove laborious for a community bank to execute given the myriad responsibilities that tend to fall to IT and Operations teams in smaller settings. 

2. CISA Cyber Performance Goals  

Designed specifically for small and medium-sized businesses, the CISA Cyber Performance Goals are practical, threat-informed goals that align with NIST but exclude the Govern function. The goals themselves declare that they are not a framework, however they offer actionable steps for improving both IT and operational technology (OT) cybersecurity. The CISA Cyber Performance goals could be considered a minimum set of cybersecurity standards so if financial institutions choose to adopt this model, they may need to migrate to another, more sophisticated model after achieving the stated goals. 

3. Cyber Risk Institute (CRI) Cyber Profile 

Focused on financial institutions, the CRI Cyber Profile is a streamlined tool which helps financial institutions assess cyber risk based on the significance of its (the FI’s) impact to the financial systems. The Cyber Risk Institute (CRI) is a non-profit coalition of financial institutions and trade associations which lends industry knowledge to the CRI Cyber Profile. Most community banks will likely fall into the Tier 4 category, which contains 208 diagnostic statements, significantly fewer than the FFIEC CAT’s 494 declarative statements. It’s self-contained within an Excel format and allows FIs to complete only the applicable tier, making it ideal for community financial institutions. If this sounds similar to the CAT, it is. Of all the frameworks evaluated here, the CRI Cyber Profile will look and feel most like the FFIEC CAT. 

4. CIS Top 18 Controls 

The CIS Top 18 Controls provide a set of best practices categorized into three implementation groups (IGs) based on a company’s size and cybersecurity resources. But 

just because the title is the Top 18 Controls, the CIS controls are really grouped into 18 different control families. Each control family includes a series of safeguards with understandable definitions and control suggestions. The CIS controls are industry agnostic so don’t expect to find financial institution specific controls. The controls provided, however, are sound and will provide financial institutions with a valuable roadmap to improve their cybersecurity posture. 

5. AICPA SOC for Cybersecurity 

You have probably seen SOC 1 and SOC 2 reports as part of your vendor management and due diligence process. A lesser known but equally valuable report is the SOC for Cybersecurity Examination which offers an attestation report and opinion from an independent CPA firm on the cybersecurity risk management program of any entity, not just third-party service providers. It evaluates management’s description of its cybersecurity risk management program and the operating effectiveness of controls supporting its cybersecurity objectives. Often, the cybersecurity controls are defined using the AICPA’s Trust Services Criteria for security, availability and confidentiality, similar to a SOC 2 report. A unique characteristic of the SOC for Cybersecurity report is its designation as a general use report, which means distribution of the report is not limited and can therefore be shared with shareholders, customers, prospective customers, vendors, and any other stakeholder.   

With the CAT’s removal on the horizon, financial institutions should begin planning their transition to an alternative framework. For more detailed guidance on preparing for the CAT phase-out, watch a previously recorded webinar presented by our Risk Advisory Services expert, Bryan Newlin, CPA, CISA, on our Engagement Hub.