In late August 2024, the Federal Financial Institutions Examination Council (FFIEC) announced the sunsetting of the Cybersecurity Assessment Tool (CAT) effective August 31, 2025. As part of this announcement, the FFIEC highlights alternative cybersecurity frameworks that may be used. However, they do not explicitly recommend any specific action. Financial institutions need to evaluate these recommendations to determine a plan for replacement in 2025.
CAT Sunset Preparation Guidelines
As part of a comprehensive Cybersecurity Program, financial institutions should consider the following to effectively integrate cybersecurity into their risk assessments, improve their overall security posture without relying solely on the FFIEC CAT and prepare for its departure in 2025.
1. Adopt a Comprehensive Cybersecurity Framework
Choose a suitable framework, like the NIST CSF, ISO/IEC 27001 or CIS controls, and customize it to fit the institution’s specific needs and risk profile.
2. Conduct a Cyber Risk Assessment
To conduct a cyber risk assessment, you can integrate it into the IT, Information Security and/or Gramm-Leach-Bliley Act (GLBA) Risk Assessments. Start by identifying critical assets, vulnerabilities and potential threats. Then, assess the impact and likelihood of different cyber threats on these assets. Finally, prioritize risks based on their potential impact.
3. Develop a Cybersecurity Strategy
To develop a cybersecurity strategy, start by defining clear cybersecurity objectives that align with the organization’s overall risk management strategy and establish a governance structure to oversee cybersecurity efforts.
4. Implement Strong Security Controls
Deploy technical and administrative controls to protect against identified threats and regularly update and patch systems to address vulnerabilities.
5. Enhance Threat Detection and Response
Set up continuous monitoring systems for real-time threat detection, subscribe to information-sharing resources such as FS-ISAC and CISA to stay informed about known cyber threats, and develop an incident response plan to quickly address and mitigate security breaches.
6. Foster a Cybersecurity Culture
Provide regular cybersecurity training and awareness programs for employees, fostering a security-first mindset across the organization.
7. Conduct Regular Cybersecurity Audits and Testing
Conduct regular cybersecurity audits and testing by performing audits, penetration testing, tabletop testing and vulnerability assessments to ensure controls are effective. Adjust strategies and controls based on audit findings and evolving threats.
8. Engage in Continuous Improvement
Engage in continuous improvement by regularly reviewing and updating the cybersecurity strategy to adapt to new threats and changes in the regulatory landscape. Incorporate lessons learned from incidents and industry best practices.
9. Establish a Communication Plan
Develop a plan for internal and external communication in case of a cybersecurity incident, ensuring stakeholders are kept informed about cybersecurity initiatives and incidents.
10. Leverage a Third-Party Consultant
Leverage third-party providers by engaging cybersecurity consultants or managed security services to enhance your organization’s security posture. These external professionals can provide valuable expertise and support, helping to identify vulnerabilities, implement best practices and respond effectively to incidents.
Quick Guide for Replacing CAT
Once the appropriate cybersecurity controls are in place, follow this quick guide on what to consider when replacing the CAT.
1. IT and GLBA Risk Assessment
Update IT and GLBA Risk Assessments to ensure all cyber-related threats and mitigating controls are included. The threats and mitigating controls included in these assessments should be in line with the controls outlined in the frameworks of the NIST, ISO and/or CIS frameworks. If not already in place at the institution, this should be planned as part of the next risk assessment update.
2. NIST CSF Maturity Assessment
If the organization wants to continue with maturity assessments, consider implementing the NIST CSF Maturity Assessment, as it is the tool that most closely aligns with the FFIEC. Keep in mind that there are key differences in the maturity ratings and expectations between the CAT and CSF tools.
With the CAT, examiners expect all financial institutions to maintain, at a minimum, the Baseline maturity. There is currently no equivalent in the NIST CSF to Baseline or Evolving maturity. NIST CSF maturity ratings are 0 – 5, with zero meaning not in place at all and five being the most evolved (formally documented policy and implementation controls). Ideally, most community banks would want to strive to be around 2.5 – 3.5 rating for each domain.
3. Gap Assessment
Perform a gap assessment against the chosen framework to identify any control enhancements that would need to be implemented to meet the selected framework. While not required, it is recommended that the gap assessment be performed in late 2024 or early 2025 to help with the transition between the different frameworks.
Alternatives to the FFIEC CAT Tool
Financial institutions should consider implementing alternative cybersecurity frameworks before the sunsetting of CAT. Below are some options that may be considered to help organizations identify cybersecurity risks, including:
NIST Cybersecurity Framework 2.0
Developed by the National Institute of Standards and Technology (NIST), this framework helps organizations manage and identify cybersecurity risks. It provides a structured approach to identifying, protecting against, responding to and recovering from cyber threats. The NIST CSF 2.0 is an industry-agnostic tool that aligns with various regulatory requirements and assists organizations in measuring cybersecurity maturity.
CISA CPGs
The Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (CPGs) help organizations focus on specific, broadly applicable cybersecurity threats. The CPGs offer a set of baseline controls that assist in benchmarking and improving overall cybersecurity maturity. These industry-agnostic controls focus on securing the United States’ critical infrastructure, not just the practices that address risk to individual entities.
CIS Critical Security Controls
Center for Internet Security (CIS) Controls are a prescriptive, prioritized and simplified set of best practices that companies can use to strengthen their cybersecurity posture. Implementing the CIS Controls creates an on-ramp to comply with PCI DSS, HIPAA, GDPR, and other industry regulations. CIS Controls also provide foundational security measures to achieve essential cyber hygiene which is critical to protect against cyber-attacks.
CRI Profile v2.0
The Cyber Risk Institute (CRI) Profile is based on the NIST “Framework for Improving Critical Infrastructure Cybersecurity.” The profile was built to be straightforward for easy adoption and aligned with the latest version of the NIST CSF. CRI is also included in the first group of NIST’s CSF version 2.0, which seeks to standardize mappings between documents.
How Can Cherry Bekaert Help?
Cherry Bekaert’s Information Assurance and Cybersecurity practice consists of professionals experienced in a full range of IT and Information Security services. Our banking consultants regularly perform implementation and auditing services for financial institutions and are well-versed in assisting with regulatory compliance. We work with examiners and external auditors throughout the U.S., bringing a wealth of knowledge and insight to not only secure the environment but also stay off the regulatory radar.
To help create a smooth transition away from CAT, Cherry Bekaert can:
- Provide guidance on selecting an appropriate cybersecurity framework tailored to your organization’s needs.
- Help implement a new cybersecurity framework.
- Perform gap assessments.
- Perform cybersecurity testing, specifically internal and external vulnerability and penetration testing, social engineering exercises, firewall configuration review and an Office 365 security review.
- Assist with policy updates or development.
- Assist with incident response plan maintenance, implementation and/or testing.
Reach out to our Cybersecurity professionals or your Cherry Bekaert advisor today to learn more about how we can assist with your cybersecurity framework and security posture.
Related Insights
