The Federal Financial Institutions Examination Council (FFIEC) announced on August 29, 2024, that it will sunset the Cybersecurity Assessment Tool (CAT) on August 31, 2025, at which point it will be removed from the FFIEC website.
This decision reflects the availability of new government resources and models for identifying and managing cybersecurity risk, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals, among others. Although the FFIEC mentioned several viable alternatives to the CAT in its announcement, it explicitly refrained from endorsing any specific cybersecurity tool or framework.
The FFIEC members include the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), the National Credit Union Administration (NCUA), and the State Liaison Committee.
The FFIEC plans to discuss these changes and introduce new resources during a webinar in the fall of 2024.
How the CAT Sunset Impacts Your Financial Institution
Nearly every financial institution relies heavily on the FFIEC CAT as the foundation for understanding, assessing and managing cybersecurity risk. The CAT also guides cybersecurity examiners and auditors in quickly assessing the state of security at financial institutions.
Adopting new frameworks as soon as possible will be essential for financial institutions to effectively manage cybersecurity risk. Executive leaders, information technology (IT), and cybersecurity team members will need to decide which options are available, weigh the pros and cons of each and choose the right future-state cybersecurity framework that best fits the institution’s needs.
Each cybersecurity framework has its own strengths and weaknesses. Selecting the right framework — or potentially a combination of frameworks, given the scope and extent of the FFIEC CAT’s expectations — will enable your institution to gain a more comprehensive view of cybersecurity risks and controls.
A crosswalk exercise will be necessary to map control sets from the CAT to the chosen future-state frameworks. This exercise will provide cybersecurity stakeholders with a clear pathway to map risks and controls to the new framework and ensure nothing is lost in translation and no risk or control gaps are missed.
How Cherry Bekaert Can Help
With extensive experience in both the FFIEC CAT and additional frameworks mentioned by the FFIEC, Cherry Bekaert’s Cybersecurity team can help with this transition. Whether your financial institution needs assistance selecting the right framework, crosswalking controls and risks, or conducting assessments against the new frameworks, we are ready to guide you forward. Reach out to your Cherry Bekaert advisor today to learn more.