Skip to content

OFFICIAL PUBLICATION OF THE WEST VIRGINIA BANKERS ASSOCIATION

2025 Pub. 16 Issue 1

Preparing for the FFIEC CAT Phase-Out

Exploring New Cybersecurity Assessment Options for Financial Institutions

The FFIEC Cybersecurity Assessment Tool (CAT) has been a critical resource for financial institutions to assess their cybersecurity preparedness. However, with the upcoming phase-out of the CAT on Aug. 31, 2025, financial institutions must prepare to adopt a new framework to maintain effective cybersecurity risk management. In this article, we’ll review the intentions of the CAT, key dates to be aware of, and explore viable alternatives for future assessments.

The FFIEC CAT was first introduced to help financial institutions benchmark their cybersecurity posture, create a path for continuous cybersecurity improvement, and provide evidence for audits and examinations. Despite these benefits, the CAT presented several challenges, particularly for smaller institutions. With 494 declarative statements, scaling it for all sizes of financial institutions proved difficult, leading to the decision to phase it out.

Exploring Viable Alternatives

The announcement from the FFIEC on Aug. 29, 2024, provided examples of several frameworks and tools that are available to replace the CAT. Each option offers unique benefits, depending on the size and complexity of the institution. It will be important for financial institutions to select a cybersecurity risk management framework that aligns with its size and complexity and achieves the benefits required from its cybersecurity goals. Here, we briefly discuss the frameworks to give financial institutions a starting point for selecting the appropriate one:

  1. NIST Cybersecurity Framework 2.0: The NIST Cybersecurity Framework 2.0 includes six core functions (Govern, Identify, Protect, Detect, Respond and Recover), making it a comprehensive option for managing cybersecurity risks. It’s widely recognized as the gold standard in risk management and is adaptable to financial institutions of various sizes. NIST CSF 2.0 can be used as a maturity model using a four-tiered system, providing a path to improving cyber maturity over time. The framework, however, is large and could prove laborious for a community bank to execute, given the myriad responsibilities that tend to fall to IT and Operations teams in smaller settings.
  2. CISA Cyber Performance Goals: Designed specifically for small- and medium-sized businesses, the CISA Cyber Performance Goals are practical, threat-informed goals that align with NIST but exclude the Govern function. The goals themselves declare that they are not a framework. However, they offer actionable steps for improving both IT and operational technology (OT) cybersecurity. The CISA Cyber Performance goals could be considered a minimum set of cybersecurity standards, so if financial institutions choose to adopt this model, they may need to migrate to another, more sophisticated model after achieving the stated goals.
  3. Cyber Risk Institute (CRI) Cyber Profile: Focused on financial institutions, the CRI Cyber Profile is a streamlined tool that helps financial institutions assess cyber risk based on the significance of its (the FI’s) impact on the financial systems. The Cyber Risk Institute (CRI) is a nonprofit coalition of financial institutions and trade associations that lends industry knowledge to the CRI Cyber Profile. Most community banks will likely fall into the Tier 4 category, which contains 208 diagnostic statements, significantly fewer than the FFIEC CAT’s 494 declarative statements. It’s self-contained within an Excel format and allows FIs to complete only the applicable tier, making it ideal for community financial institutions. If this sounds similar to the CAT, it is. Of all the frameworks evaluated here, the CRI Cyber Profile will look and feel most like the FFIEC CAT.
  4. CIS Top 18 Controls: The CIS Top 18 Controls provide a set of best practices categorized into three implementation groups (IGs) based on a company’s size and cybersecurity resources. But just because the title is the Top 18 Controls, the CIS controls are really grouped into 18 different control families. Each control family includes a series of safeguards with understandable definitions and control suggestions. The CIS controls are industry-agnostic, so don’t expect to find financial institution-specific controls. The controls provided, however, are sound and will provide financial institutions with a valuable roadmap to improve their cybersecurity posture.
  5. AICPA SOC for Cybersecurity: You have probably seen SOC 1 and SOC 2 reports as part of your vendor management and due diligence process. A lesser‑known but equally valuable report is the SOC for Cybersecurity Examination, which offers an attestation report and opinion from an independent CPA firm on the cybersecurity risk management program of any entity, not just third-party service providers. It evaluates management’s description of its cybersecurity risk management program and the operating effectiveness of controls supporting its cybersecurity objectives. Often, the cybersecurity controls are defined using the AICPA’s Trust Services Criteria for security, availability and confidentiality, similar to a SOC 2 report. A unique characteristic of the SOC for Cybersecurity report is its designation as a general use report, which means distribution of the report is not limited and can, therefore, be shared with shareholders, customers, prospective customers, vendors and any other stakeholder.

With the CAT’s removal on the horizon, financial institutions should begin planning their transition to an alternative framework. For more detailed guidance on preparing for the CAT phase-out, watch a previously recorded webinar presented by YHB’s Risk Advisory Services expert, Bryan Newlin, CPA, CISA, on YHB’s Engagement Hub .

Bryan began his career with YHB in 2005 and has been a key leader in YHB’s respected Risk Advisory Services practice since 2007. Focusing attention on two of the most well-known technology internal control frameworks — the AICPA’s Trust Services Categories and ISACA’s COBIT® framework — Bryan works across industries to help clients identify and mitigate information and technology risk.

Get Social and Share!

Sign Up to Receive this Publication in your inbox

More In This Issue