The Federal Financial Examination Council (FFIEC) announced that it will be sunsetting its cybersecurity assessment tool on August 31, 2025. Below is the OCC’s statement:
“The CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.
After much consideration, the FFIEC has determined not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. Supervised financial institutions can instead refer directly to these new government resources. CISA released Cross-Sector Cybersecurity Performance Goals in 2023 and is preparing to release Cybersecurity Performance Goals for the Financial Sector later this year. These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience.”
The Impact
Since being released in 2015, the FFIEC CAT required banks to perform assessments over their cybersecurity posture and document their cyber risk appetite. With the quick-moving nature of cyber risks, the FFIEC is sunsetting the tool and now recommends banks pivot to more widely accepted frameworks of assessing their cyber posture.
Contact our IT Risk & Compliance team at Forvis Mazars for help with your bank’s future cyber risk needs.