On September 5, 2024, the Federal Financial Institutions Examination Council (FFIEC) announced it would sunset the FFIEC Cybersecurity Assessment Tool (CAT) on August 31, 2025. According to the Federal Reserve, the CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. Although the current controls addressed in the CAT are sound cybersecurity practices, the FFIEC notes that the decision to sunset arose from new and updated government and industry resources that financial institutions can use to better manage cybersecurity risks.
As a result, financial institutions will need to adopt a new framework to assess their cybersecurity environment. The FFIEC does not explicitly endorse the use of any tool and mentions the use of industry-developed resources, including—but not limited to—the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, the Center for Internet Security (CIS) Critical Security Controls, and Cyber Risk Institute’s (CRI) Cyber Profile (the Profile).
The NIST CSF 2.0 provides guidance to organizations of all sizes and sectors to manage cybersecurity risks. It is organized around six core functions—Govern, Identify, Protect, Detect, Respond, and Recover—that result in 108 controls. These functions offer a comprehensive approach to understanding, assessing, prioritizing, and communicating cybersecurity efforts. The framework does not prescribe specific actions but links to resources that provide additional guidance on practices and controls to help achieve desired outcomes. This flexibility allows organizations to tailor the framework to their unique needs and maturity levels.
The CIS Critical Security Controls are a set of best practices designed to help organizations improve their cybersecurity posture. These controls are prescriptive, prioritized, and simplified, making them accessible and actionable for organizations of all sizes. The latest version, CIS Controls v8.1, includes 18 top-level controls, each with specific safeguards to address various aspects of cybersecurity.
The CRI Profile was created through public and private collaboration, pulling from global regulations and cybersecurity standards, such as the International Standards Organization and NIST CSF. The Profile’s framework of 318 diagnostic statements for financial institutions to rely on is based on more than 2,500 regulatory, official guidance and other supervisory provisions worldwide. The number of diagnostic statements to comply with depends on your impact on the global, national, sector, or local market if a cybersecurity event substantially impacted you. The CRI provides nine questions to help you determine which of four tiers your organization is in.
In addition, the CRI Profile provides a mapping to the CAT, which can allow your institution to begin to transfer over your current framework into the CAT. However, the CRI Profile to the CAT is not a one-to-one transfer, and the items that are mapped up do not have the same language as the CAT and will require further assessment. Organizations utilizing this framework that want to transfer over the mapped items should be cognizant that the requirements of CAT can be insufficient for today’s landscape. The items transferred over can be a great starting point, but it is important to review the new language and identify any additional gaps that need to be addressed to help ensure you are complying with the CRI Profile.
Like the FFIEC, Forvis Mazars does not endorse the use of one framework over another. However, of the recommended frameworks the FFIEC recommends as a replacement for CAT, only the CRI Profile was specifically curated for financial institutions, has a direct mapping to the CAT for an easier transition, and the scope of the framework is customized based on your impact score.
While the CAT is not set to retire until August 31, 2025, it’s important to begin planning your transition as soon as possible to decide which framework best suits your organization’s needs; determine resources needed to complete the migration, including time and monetary; and identify potential control gaps that will need to be addressed. If your organization needs assistance migrating to any of these new frameworks, please contact a professional at Forvis Mazars.