On August 29, 2024, the Federal Financial Institutions Examination Council (FFIEC) announced its plan to sunset the Cybersecurity Assessment Tool (CAT) on August 31, 2025. This decision has been anticipated for some time and marks a significant shift in how many financial institutions will assess and manage their cybersecurity risks moving forward.
The CAT, introduced in June 2015 (9 years ago – coincidence?), has been a "voluntary" organizational cybersecurity risk assessment tool financial institutions use to determine an organizational inherent risk level and their cybersecurity maturity and preparedness across five different cybersecurity domains.
The FFIEC and its regulatory agencies have been debating behind the scenes about whether to update the CAT to version 2.0 or simply recommend other widely adopted cybersecurity frameworks. We finally have our answer – the CAT's lives have all been used up.
While the CAT has been instrumental in helping institutions enhance their cybersecurity posture, the FFIEC has decided not to update the tool. Instead, the FFIEC highlights alternative cybersecurity frameworks that may be used without explicitly recommending any specific action, including:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0
- Center for Internet Security (CIS) Critical Security Controls (CSC)
- Cyber Risk Institute (CRI) Profile
- Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Performance Goals
NOTE: While the FFIEC CAT will be sunset, the National Credit Union Administration (NCUA) will continue to support and encourage credit unions to use the Automated Cybersecurity Examination Tool (ACET).
Thoughts on the CAT's Demise
SBS' stance on the CAT has been two-fold for a while:
- The risk management framework of the CAT was excellent. The framework included an inherent risk component, a cyber maturity component, and, best of all, PRESCRIPTIVE actions and controls to which ALL financial institutions, regardless of size, complexity, or geography, were held.
- The CAT's content was severely outdated. A lot has happened in the world of technology over the last nine years, and the CAT hasn't kept up.
Additionally, the CAT's baseline cyber maturity controls were mapped to NIST CSF 1.1. Once NIST released CSF 2.0, it logically made sense that the decision point for the FFIEC CAT was coming soon.
Thus, one of two things was bound to occur:
- The FFIEC CAT needed to be updated for modern technologies, threats, and controls – as well as aligned with NIST CSF 2.0.
OR - FFIEC CAT goes away, and regulators take the easier path of telling financial institutions to use existing cybersecurity frameworks.
Personally (speaking as Jon here), I'm disappointed that the FFIEC has decided to sunset CAT rather than update the tool for a handful of significant reasons:
- Other cybersecurity frameworks are NOT risk assessments. NIST CSF, CIS CSC, and CISA's Cybersecurity Performance Goals do not have inherent risk vs. residual risk ratings or metrics. Yes – you can have a variety of assessments performed to determine how well you are doing at implementing one of these standards, but the lack of a "risk assessment" process is disappointing.
- The CRI Profile, on the other hand, DOES have a high-level risk assessment element to its framework. In addition to mapping to the NIST CSF and other FFIEC regulations, it is also specifically tailored to the financial industry. We expect to see a significant uptick in its use.
- We were big fans of the FFIEC CAT's "prescriptive" nature. Our regulatory friends tend to avoid being very prescriptive; however, the opposite was true with the CAT, which gave financial institutions strong expectations about what was expected of them and their next steps in each case. This was a welcome change from previous and future guidance.
That said, NIST CSF and CIS CSC are widely adopted and updated on a fairly regular basis. CRI Profile has also been updated recently, is based off of NIST CSF and financial institution guidance, and has been gaining traction. These are absolutely solid options for any financial institution to leverage as a cybersecurity framework, and it’s ultimately not surprising that the FFIEC is directing financial institutions at already-existing frameworks vs. recreating their own standard.
What's Next - How Should Financial Institutions Respond?
Transition to a New Cybersecurity Framework/Resources
If your financial institution has not started looking into an alternative framework, now's the time! While you have a full year of leveraging the CAT left, should you choose to continue with the CAT for audit and exam purposes in the meantime, you have likely already been exploring alternative cyber frameworks either way.
Remember—there is no prescription for which cybersecurity framework you should leverage. However, your regulator is expected to no longer accept the CAT as your "organizational cyber risk assessment" or framework after August 31, 2025.
Your examiner will also likely recommend this topic at your next exam if you have not already started looking at options other than the CAT.
Participate in Webinars and Training
The FFIEC plans to host a webinar on new and updated resources that financial institutions can use to manage cybersecurity risks. The webinar is scheduled for October 17, 2024, and will be announced via BankNet. Institutions should take advantage of these training opportunities to stay informed about the latest best practices.
The SBS Institute will host a Hot Topic Webinar on the FFIEC CAT sunset and alternative cybersecurity tools/frameworks to explore on Tuesday, September 10th, from 2:00 PM to 3:30 PM Central.
Register for The End of FFIEC CAT: Essential Updates and Next Steps.
SBS has been on top of NIST CSF 2.0 since the official framework was launched earlier this year, including a special Hot Topic Webinar on all things NIST CSF 2.0.
View the Getting to the Core of the NIST CSF 2.0 Next-Gen Cybersecurity Framework.
SBS also posted a comprehensive guide that explores the advancements of NIST CSF 2.0. The blog details new cybersecurity enhancements, risk management strategies, and organizational benefits.
Read the Understanding NIST CSF 2.0: A Comprehensive Guide to Advanced Cybersecurity Measures blog.
Leverage Cyber Risk Tools
Releasing a new NIST CSF module is on the TRAC roadmap. While we're not quite ready to give you a specific date, we're looking at the first half of 2025 to give you plenty of time to transition away from the CAT.
If you're looking to build NIST CSF 2.0 into a "risk assessment" via Excel in the meantime while you wait for NIST CSF in TRAC, check out how former CISO John Masserini has done it.
As mentioned above, the CRI Profile is another cybersecurity framework that incorporates financial institution guidance alongside NIST CSF and other laws/regulations. It may be helpful to institutions that want a more FI-focused framework.
Stay Informed and Engaged
Stay informed about the latest developments in cybersecurity by subscribing to FFIEC press releases and announcements. Engaging with industry peers and participating in cybersecurity forums like FS-ISAC and local banking association conferences and events can also provide valuable insights and support.
Continue to follow SBS CyberSecurity on LinkedIn and through the SBS Institute for more cybersecurity education, training, webinars, certifications, and updates!
How SBS Will Handle the Demise of the CAT
The good news here is that while SBS has certainly used the FFIEC CAT a lot over the last nine years, our various teams of cybersecurity professionals are well-versed in the vast majority of cybersecurity frameworks out there today. NIST CSF, along with other industry cyber frameworks and standards, have been baked into SBS products and services for years.
SBS offers a NIST CSF Assessment to help you determine where you are today regarding the adoption or deployment of NIST CSF vs. where you want to be in the future and how you can close those gaps.
SBS vCISO services are designed to help you with all of your up-front cybersecurity program governance challenges, from policy and procedure development to performing the various cyber and IT-related risk assessments required for training and education. An SBS vCISO service can be tailored to any cybersecurity framework that you have already deployed or desire to implement.