Subscribe to Our blog

• The Expanding Role of ISOs – Enhancing Security & Risk Management

• Effective Governance and Communication: Enhancing Your FI’s Resiliency

• Beyond the FFIEC CAT

Related Resources:

The Federal Financial Institutions Examination Council (FFIEC) recently announced that the Cybersecurity Assessment Tool (CAT) will sunset on August 31, 2025. This tool, utilized since 2015, has aided financial institutions by providing a structured approach to identify risks and gauge preparedness in managing cybersecurity.

The Shift in Cybersecurity Landscape

The priority for this ongoing objective hasn’t diminished, however, the CAT has been losing its value over the last few years as many FIs have maximized their maturity levels in the 5 security domains. The industry is long overdue in leaning into a “refreshed” option to annually assess evolving inherent cyber risk changes and the evolving maturity of cyber security controls. Newer tools like the Ransomware Self-Assessment Tool Version 2.0 (RSAT 2.0) created by a consortium of state banking organizations, the FBI and the Bankers Electronic Crimes Task Force, have taken a unique approach to cyber preparedness by addressing a specific but prolific cyber-attack vector: Ransomware. At Safe Systems, we believe that changes in cyber preparedness framework options including the use of a multiple-dimensional approach, mark an opportunity for banks to enhance efforts to improve cybersecurity posture.

Embracing New Government Resources and Industry-Developed Tools

As the dust continues to settle regarding front runners and frameworks emphasized by federal regulatory agencies, the FFIEC recommends models to migrate to including the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF 2.0) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. These frameworks are designed to be industry-agnostic, providing a wide array of controls and best practices that can be customized to fit the unique needs of financial institutions. The inclusion of the latest government resources ensures that cybersecurity measures do not remain stagnant and evolve with emerging threats.

In addition to government resources, industry-developed tools such as the Cyber Risk Institute’s (CRI) Cyber Profile and the Center for Internet Security Critical Security Controls are key alternatives. These tools are endorsed for their ability to integrate with various frameworks and assist financial institutions in continuously evolving their cybersecurity posture.

Preparing for the Transition

As the sunset of the FFIEC CAT approaches, it’s important for financial institutions to prepare for the change to alternate risk assessment methodologies. Considerations include:

1. Review Current Practices: Begin with a thorough review of your current cybersecurity practices using the CAT. Identify any gaps or areas that require improvement and benchmark them against the new tools recommended by the FFIEC. Use your latest CAT (2024 or early 2025 version) as a platform for moving forward with a new tool.
2. Evaluate New Resources: Engage your IT, cybersecurity teams, trusted third parties, and peers to understand how the available frameworks may be integrated into your existing processes. Consider tools that align with your institution’s asset size, risk profile, and existing infrastructure. Also include your cyber risk appetite, growth objectives, and previous experiences with impactful cyber-attacks.
3. Train and Educate: Ensure your staff are comfortable with the newly adopted framework(s). Comprehensive training and continuous education are essential in adapting to new cybersecurity measures and maintaining a strong defense against emerging threats. Consider partnering with a trusted third party to complete the cyber assessment process year after year with your staff. This way gaining the benefit of experiences the third party has with other like-minded FIs.
4. Stay Informed: Participate in webinars and discussions hosted by the FFIEC, federal/state regulators, IT audit firms and other reputable cybersecurity organizations like FS-ISAC to stay updated on best practices and new developments in the field.

The evolution of cybersecurity demands that financial institutions stay agile and informed about the latest tools and frameworks. The sunsetting of the CAT provides an opportune moment for banks to reassess their cybersecurity strategies and align with contemporary measures that offer a customized approach to security. By proactively adopting new resources and continuously evaluating cybersecurity practices, financial institutions can better manage risks and safeguard against cyber exposure and loss of customer confidence.

Safe Systems stands ready to support you through this transition, ensuring that your institution remains resilient and secure in an ever-changing threat landscape. BTW - If you have any concerns regarding your Information Security Program and/or IT Management Policies/Procedures, or simply need a second opinion, please consider taking advantage of our complimentary InfoSec Program Review.