Questions About the Sunsetting of the FFIEC CAT
The retirement of the CAT on August 31, 2025, does not change compliance requirements but signals a transition to tools that address current and emerging threats. To prepare for this shift, institutions should examine current practices, assess new resources, and stay informed.
We are here to support you by addressing any questions you have regarding the CAT, new assessment tools, and examiner and auditor expectations. Below are some of the initial questions institutions have been asking.
Financial institutions are encouraged to explore other industry-standard cybersecurity assessment tools to ensure compliance and maintain robust defenses. Appropriate options include the latest government and industry-developed resources to ensure that cybersecurity control strategies do not remain stagnant and evolve with emerging threats.
The FFIEC does not currently endorse any specific tool. however, CSWP 29, The NIST Cybersecurity Framework (CSF) 2.0 | CSRC , Cyber Risk Institute’s (CRI) Cyber Profile and Center for Internet Security Critical Security Controls are key alternatives. These tools are endorsed for their ability to integrate with various frameworks and assist financial institutions in continuously evolving their cybersecurity posture.
At UFS/Safe Systems, we also recommend augmenting one of the comprehensive tools listed above with Ransomware Self-Assessment Tool Version 2.0 (RSAT 2.0) created by a consortium of state banking organizations, the FBI and the Bankers Electronic Crimes Task Force. This self-assessment takes a unique approach to cyber preparedness by addressing a specific but prolific cyber-attack vector: Ransomware.
The Advisory/Compliance Services Team at UFS/Safe Systems believes that changes in cyber preparedness framework options including the use of a multiple-dimensional approach, mark an opportunity for banks to enhance efforts to improve the cybersecurity posture of their organization.
Financial institutions should prepare for the transition well ahead of the August 31, 2025, deadline. Considerations include:
1. Review Current Practices: Begin with a thorough review of your current cybersecurity practices using the CAT. Identify any gaps or areas that require improvement and benchmark them against the new tools recommended by the FFIEC. Use your latest CAT (2024 or early 2025 version) as a platform for moving forward with a new tool.
2. Evaluate New Resources: Engage your IT, cybersecurity teams, trusted third parties, and peers to understand how the available frameworks may be integrated into your existing processes. Consider tools that align with your institution’s asset size, risk profile, and existing infrastructure. Also include your cyber risk appetite, growth objectives, and previous experiences with impactful cyber-attacks.
4. Train and Educate: Ensure your staff are comfortable with the newly adopted framework(s). Comprehensive training and continuous education are essential in adapting to new cybersecurity measures and maintaining a strong defense against emerging threats. Consider partnering with a trusted third party to complete the cyber assessment process year after year with your staff. This way gaining the benefit of experiences the third party has with other like-minded FIs.
5. Stay Informed: Participate in webinars and discussions hosted by the FFIEC, federal/state regulators, IT audit firms, and other reputable cybersecurity organizations like FS-ISAC to stay updated on best practices and new developments in the field.
The evolution of cybersecurity demands that financial institutions stay agile and informed about the latest tools and frameworks. The sunsetting of the CAT provides an opportune moment for banks to reassess their cybersecurity strategies and align with contemporary measures that offer a customized approach to security. By proactively adopting new resources and continuously evaluating cybersecurity practices, financial institutions can better manage risks and safeguard against cyber exposure and loss of customer confidence.
Financial institutions can access resources on updating their cybersecurity assessment tools from the FFIEC’s website, industry publications, professional associations, and cybersecurity solution providers.
Safe Systems stands ready to support you through this transition, ensuring that your institution remains resilient and secure in an ever-changing threat landscape. If you have any concerns regarding your Information Security Program and/or IT Management Policies/Procedures, or simply need a second opinion, please consider taking advantage of our complimentary InfoSec Program Review.
Institutions may choose to continue using the CAT as an internal reference; however, it will no longer receive official support or updates from the FFIEC. Financial institutions should prioritize transitioning to updated cybersecurity assessment tools to align with best practices.
The sunsetting of the CAT does not alter existing compliance requirements but signals a shift towards newer assessment tools that better address current cybersecurity threats. Institutions must ensure their cybersecurity framework remains compliant and effective without reliance on the CAT. The retirement of the CAT may lead auditors and examiners to expect the use of updated assessment tools in evaluating cybersecurity practices. Financial institutions should prepare to demonstrate how their new tools meet or exceed the capabilities of the CAT during audits.
Ask a Question, Get an Answer!
Ask a question and our compliance experts will email you back!
Explore Other Risk Management Articles