By John Carlson
Nearly 10 years ago the Federal Financial Institutions Examination Council released the first version of its Cybersecurity Assessment Tool, or CAT. While “voluntary,” the regulatory agencies stated that the CAT was designed to “help institutions identify their risks and determine their cybersecurity maturity.” Over the past decade, banks have relied on the CAT to measure maturity, even as regulators assert that demonstrating compliance with regulatory expectations is voluntary.
CAT sunsets in 2025
Last year, the FFIEC announced it would sunset the CAT in August 2025, stating that “while the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.”
“The FFIEC Cybersecurity Assessment Tool has served as an invaluable resource for the community banking industry, providing a structured, supervisory agency-aligned framework that has significantly elevated cybersecurity awareness and governance at each bank that has deployed it,” says Trey Maust, executive chairman of Lewis and Clark Bank. “Its strength lies in translating complex technical risks into accessible insights, enabling more strategic decision-making and resource allocation.”
He adds: “The FFIEC CAT was also unparalleled in articulating and measuring the inherent risk profile of an institution. This has been instrumental for bank management and boards to ensure that technical, process and other controls are in place to specifically mitigate the inherent risks unique to each institution.”
According to Julie Rohlena, SVP at U.S. Bank, “The benefit [of the CAT] was having a structured framework for evaluating cybersecurity programs against a model recognized by regulators. However, the fast-moving threat landscape limited its effectiveness. A lack of regular updates and maintenance, along with diagnostic statements that reflected fixed maturity levels, made it a static model. It couldn’t reflect evolving cyber risk, which decreased its value in informing effective mitigation strategies.”
The regulatory agencies point to other US Government frameworks such as the National Institute of Standards and Technology Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals as well as industry developed resources, such as the Cyber Risk Institute’s Cyber Profile and the Center for Internet Security Critical Security Controls.
Banks migrate to recommended frameworks
As the countdown accelerates to CAT sunset, banks are evaluating recommended replacements. One of the industry-developed options that banks are exploring is the CRI Profile. The CRI Profile is managed by a nonprofit organization that developed through collaborative work of ABA, Bank Policy Institute/BITS and Financial Services Sector Coordinating Council. Josh Magri serves as its president and says the CRI Profile is designed to “help financial institutions focus cybersecurity experts’ time on protecting global financial platforms, rather than compliance activity, by leveraging the NIST Cybersecurity Framework as a common language.”
Magri adds, “CRI has proven the NIST CSF’s usability and extensibility as a standard framework for managing cyber risk in financial institutions by tying it to regulatory provisions through the CRI Profile. With nearly 100 members, CRI has updated the profile almost every year, extended its application with the cloud profile, defined minimum controls for third parties that map to the CISA Cyber Performance Goals and NIST CSF, and introduced a maturity model assessment for peer comparisons and benchmarking.
Banks that embrace the CRI Profile cite several key benefits.
U.S. Bank’s Rohlena adds: “The FFIEC CAT’s inadequacies were a primary driver. But the CRI Profile’s alignment with the NIST Cybersecurity Framework and other widely accepted industry standards are also key. This enhances banks’ regulatory compliance and reduces the burden of demonstrating adherence to multiple frameworks. A couple of other factors are the CRI Profile’s continuously updated diagnostic statements, which reflect the dynamic nature of cyber threats, and its forward-looking maturity model. This helps financial institutions proactively identify and address emerging risks. Plus, support for the CRI Profile from FFIEC and international regulatory bodies solidify its credibility and long-term viability.”
“Beyond its alignment with the NIST CSF and other industry standards, the dynamic nature of its diagnostic statements provides a more accurate and timely assessment of cyber risk. Its ongoing evolution ensures that cybersecurity programs remain aligned with best practices and regulatory expectations. This helps financial institutions mitigate future vulnerabilities, enhance their overall security posture and allows for more efficient and focused remediation efforts.”
Meanwhile: Cyber threat continues to evolve
Over the past decade, banks have dealt with increasing cyber threats. Adversaries target banks, their customers and third-party providers. Banks are on guard to fend against ransomware attacks, distributed denial of service attacks and phishing attacks designed to defraud bank customers, to name a few. Emerging risks include the expanding use of generative AI that can create convincing deep fakes that can lure and then defraud bank customers and bank employees alike. Quantum computers may pose a threat to widely used encryption and could have serious security and privacy implications if banks and service providers do not implement quantum-resistant cryptographic algorithms to protect data against future quantum threats.
Since the cyber threat environment and technology environment are constantly changing, banks cannot assume that what worked last year will work this year, so any assessment and maturity framework needs to evolve.
In February, Federal Reserve Governor Michelle Bowman noted: “Because cyber threats evolve quickly, cybersecurity must be equally dynamic in its response. Banks must continuously refine their risk management processes.”
Lewis and Clark Bank’s Maust argues that “[a]s we look to successor tools, it is important for the industry to have ready access to an effective inherent risk measurement and benchmarking tool akin to that provided in the FFIEC CAT — particularly one that is periodically updated for the everchanging banking and cybersecurity landscape.”
CRI’s Magri says that “CRI is also focused on operationalizing NIST for artificial intelligence and aligning the profile to broader risk management.”
Regulatory focus and outreach ramps up
In another speech last fall, Fed Governor Bowman linked cyber threats with the need for resources to support banks: “We know well that cyber threats pose real risks to the banking system. We also recognize that community banks may have unique needs in preventing, remediating and responding to cyber threats. Therefore, regulators should ensure that a range of resources are available to support community banks and seek further opportunities to help build community bank resilience against these threats.”
Regulators are gearing up to educate banks about the transition, including those that the Federal Reserve is organizing in coordination with the ABA.
Conclusion
If a cat has nine lives, then perhaps it’s fitting that the FFIEC announced its CAT would be retired after nine years. The good news is that banks have good alternatives, and the march is on to select those that work best and address the evolving cyber risks and regulatory expectations banks will face in the years to come.
John Carlson is SVP, cybersecurity regulation and resilience at ABA.
