FFIEC CAT Sunset: What You Need to Know

As any cybersecurity practitioner in the finance industry knows, it can be tedious to demonstrate compliance according to regulatory oversight. The Federal Financial Institutions Examination Council (FFIEC) developed its Cybersecurity Assessment Tool (CAT) in 2016 to help financial institutions overcome this challenge by creating a process to identify their institution's risks and determine its cybersecurity preparedness.

But the financial regulatory environment is always changing. The FFIEC announced it will sunset CAT on August 31, 2025, potentially causing an uncomfortable change in how you inform your cybersecurity risk management strategy. Read on to find out how you can proactively adapt to this event. 

An Important Update for Financial GRC and Cybersecurity Practitioners

On August 29, 2024, the FFIEC first announced the sunset of CAT.

In its announcement, the FFIEC clarified it “will remove the CAT from the FFIEC website on August 31, 2025” after determining “not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals.”

This change affects supervised financial institutions that used FFIEC CAT as their cybersecurity self-assessment tool. These institutions will continue to be subject to risk-focused examinations going forward.

The Use and Limitations of FFIEC CAT

To shift your financial institution's approach to cybersecurity assessments, you must first take a moment to understand what you could and could not do with FFIEC CAT. This tool was designed to provide the inherent risk profile of the institution before implementing controls. While it was designed to guide management’s assessment of your institution’s maturity level in five key domains, FFIEC CAT was not designed to identify your institution's overall cybersecurity maturity level. As such, the methodology supporting the use of the tool was intended to complement, not replace, your institution’s risk management process and cybersecurity program.

The Future of Assessing Cyber Risk for Your Financial Institution

Fortunately, you don't need to look far to find a replacement for FFIEC CAT. As noted in the sunset announcement:

"Supervised financial institutions may also consider use of industry developed resources, such as the Cyber Risk Institute’s (CRI) Cyber Profile, and the Center for Internet Security Critical Security Controls. These tools can be used in conjunction with other resources (e.g., frameworks, standards, guidelines, leading practices) to better address and inform management of continuously evolving cyber security risk. Supervised financial institutions should ensure that any self-assessment tool(s) they utilize support an effective control environment and are commensurate with their risk."

We couldn't have said it better ourselves. Risk assessments are an incredibly important component of managing your institution's comprehensive cybersecurity program. Solid program management begins with selecting the right framework to ensure you are not only meeting regulatory expectations and demonstrating applicable industry standards compliance but are also implementing the proper set of actions that will safeguard your networks and assets to defend against top threats.

As the FFIEC said, the CIS Critical Security Controls (CIS Controls) can help you to achieve that. They are a set of prioritized defensive actions designed to defend against the most common attacks we are facing today across any industry, not just financial services. The Controls are divided into three Implementation Groups (IGs) that use data to drive and prioritize your implementation of individual security measures, or CIS Safeguards. They also help you to streamline your compliance to NIST CSF 2.0, ISO, FFIEC, HIPAA, and other industry standards with mappings that are available through CIS Critical Security Controls Navigator. The Controls thus provide an implementation and maturity roadmap for your cybersecurity and compliance program.

Two Ways to Enhance Your Financial Cybersecurity with the CIS Controls

We get it. It's not always easy getting started with enacting a new framework, especially when you're moving from another one. That's why we've also designed an entire ecosystem of tools and resources to help you implement the CIS Controls in a way that aligns to your unique business needs.

Let's look at a couple of examples below.

Reasonably Assess Your Financial Institution's Risk

Like all other organizations in your sector, your institution is expected to adequately communicate and assess risk. Most senior governance, risk, and compliance (GRC) professionals along with cybersecurity practitioners ask themselves or have been asked, “How much security is 'reasonable?'” “How do we demonstrate that?” The answer to these questions isn't obvious. As we explain in our Reasonable Cybersecurity Guide, while many U.S. state data privacy laws require cybersecurity programs to meet the standard of reasonableness, none of them explains what organizations must do to fulfill this standard.

This is where our free-to-use CIS Risk Assessment Method (RAM) can help. Blending both qualitative and quantitative risk analysis, CIS RAM doesn't just empower you to determine your risk based upon your Controls implementation. It also provides a method for determining whether the security controls you’ve implemented are reasonable. CIS RAM takes the guesswork out of evaluating risk by calculating the likelihood of an impact to your institution in the language of your institution, enabling you to apply just the right amount of security for your business needs.

Prioritize and Track Your Controls Implementation

One of the most important things you need to do when adopting a new framework is demonstrate progress. Leadership wants to understand how your implementation efforts minimize risk and how you plan to strengthen your institution's cybersecurity posture going forward. Auditors can use this same information to evaluate the effectiveness of your controls program.

Which brings us to the pro version of our CIS Controls Self Assessment Tool (CIS CSAT Pro). Available exclusive to CIS SecureSuite® Members, CIS CSAT Pro enables organizations of any size and resource level to track and prioritize their implementation of the Controls at the CIS Safeguard level. This means you can track and manage your implementation roadmap over time as well as upload and share documentation (evidence, policies, files, etc.) that could be very useful in an internal or external audit examination. CIS CSAT Pro also enables you to measure your progress against peers in your industry, giving you an additional input for planning out and receiving buy-in for your implementation efforts.

Want to learn more about how you can strengthen your cybersecurity posture with CIS CSAT Pro? Check out our video below.

 

 

Now Is the Time to Embrace Change

It is important to act now and proactively prepare for the FFIEC CAT sunset! While you may have used the tool for many years, its retirement gives you an opportunity to take charge of improving your cyber hygiene. Backed by data and adopted globally, our CIS Controls tools and resources are designed to guide you every step of the way.

Ready to take the first step?

Banking on CIS Webinar