ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Cybersecurity

The nine lives of the FFIEC cyber assessment tool

As the countdown accelerates to CAT sunset, banks are evaluating recommended replacements.

April 21, 2025
Reading Time: 4 mins read
Ransomware in the financial sector

By John Carlson

Nearly 10 years ago the Federal Financial Institutions Examination Council released the first version of its Cybersecurity Assessment Tool, or CAT. While “voluntary,” the regulatory agencies stated that the CAT was designed to “help institutions identify their risks and determine their cybersecurity maturity.” Over the past decade, banks have relied on the CAT to measure maturity, even as regulators assert that demonstrating compliance with regulatory expectations is voluntary.

CAT sunsets in 2025

Last year, the FFIEC announced it would sunset the CAT in August 2025, stating that “while the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.”

“The FFIEC Cybersecurity Assessment Tool has served as an invaluable resource for the community banking industry, providing a structured, supervisory agency-aligned framework that has significantly elevated cybersecurity awareness and governance at each bank that has deployed it,” says Trey Maust, executive chairman of Lewis and Clark Bank. “Its strength lies in translating complex technical risks into accessible insights, enabling more strategic decision-making and resource allocation.”

He adds: “The FFIEC CAT was also unparalleled in articulating and measuring the inherent risk profile of an institution. This has been instrumental for bank management and boards to ensure that technical, process and other controls are in place to specifically mitigate the inherent risks unique to each institution.”

According to Julie Rohlena, SVP at U.S. Bank, “The benefit [of the CAT] was having a structured framework for evaluating cybersecurity programs against a model recognized by regulators. However, the fast-moving threat landscape limited its effectiveness. A lack of regular updates and maintenance, along with diagnostic statements that reflected fixed maturity levels, made it a static model. It couldn’t reflect evolving cyber risk, which decreased its value in informing effective mitigation strategies.”

The regulatory agencies point to other US Government frameworks such as the National Institute of Standards and Technology Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals as well as industry developed resources, such as the Cyber Risk Institute’s Cyber Profile and the Center for Internet Security Critical Security Controls.

Banks migrate to recommended frameworks

As the countdown accelerates to CAT sunset, banks are evaluating recommended replacements. One of the industry-developed options that banks are exploring is the CRI Profile. The CRI Profile is managed by a nonprofit organization that developed through collaborative work of ABA, Bank Policy Institute/BITS and Financial Services Sector Coordinating Council. Josh Magri serves as its president and says the CRI Profile is designed to “help financial institutions focus cybersecurity experts’ time on protecting global financial platforms, rather than compliance activity, by leveraging the NIST Cybersecurity Framework as a common language.”

Magri adds, “CRI has proven the NIST CSF’s usability and extensibility as a standard framework for managing cyber risk in financial institutions by tying it to regulatory provisions through the CRI Profile. With nearly 100 members, CRI has updated the profile almost every year, extended its application with the cloud profile, defined minimum controls for third parties that map to the CISA Cyber Performance Goals and NIST CSF, and introduced a maturity model assessment for peer comparisons and benchmarking.

Banks that embrace the CRI Profile cite several key benefits.

U.S. Bank’s Rohlena adds: “The FFIEC CAT’s inadequacies were a primary driver. But the CRI Profile’s alignment with the NIST Cybersecurity Framework and other widely accepted industry standards are also key. This enhances banks’ regulatory compliance and reduces the burden of demonstrating adherence to multiple frameworks. A couple of other factors are the CRI Profile’s continuously updated diagnostic statements, which reflect the dynamic nature of cyber threats, and its forward-looking maturity model. This helps financial institutions proactively identify and address emerging risks. Plus, support for the CRI Profile from FFIEC and international regulatory bodies solidify its credibility and long-term viability.”

“Beyond its alignment with the NIST CSF and other industry standards, the dynamic nature of its diagnostic statements provides a more accurate and timely assessment of cyber risk. Its ongoing evolution ensures that cybersecurity programs remain aligned with best practices and regulatory expectations. This helps financial institutions mitigate future vulnerabilities, enhance their overall security posture and allows for more efficient and focused remediation efforts.”

Meanwhile: Cyber threat continues to evolve

Over the past decade, banks have dealt with increasing cyber threats. Adversaries target banks, their customers and third-party providers. Banks are on guard to fend against ransomware attacks, distributed denial of service attacks and phishing attacks designed to defraud bank customers, to name a few. Emerging risks include the expanding use of generative AI that can create convincing deep fakes that can lure and then defraud bank customers and bank employees alike. Quantum computers may pose a threat to widely used encryption and could have serious security and privacy implications if banks and service providers do not implement quantum-resistant cryptographic algorithms to protect data against future quantum threats.

Since the cyber threat environment and technology environment are constantly changing, banks cannot assume that what worked last year will work this year, so any assessment and maturity framework needs to evolve.

In February, Federal Reserve Governor Michelle Bowman noted: “Because cyber threats evolve quickly, cybersecurity must be equally dynamic in its response. Banks must continuously refine their risk management processes.”

Lewis and Clark Bank’s Maust argues that “[a]s we look to successor tools, it is important for the industry to have ready access to an effective inherent risk measurement and benchmarking tool akin to that provided in the FFIEC CAT — particularly one that is periodically updated for the everchanging banking and cybersecurity landscape.”

CRI’s Magri says that “CRI is also focused on operationalizing NIST for artificial intelligence and aligning the profile to broader risk management.”

Regulatory focus and outreach ramps up

In another speech last fall, Fed Governor Bowman linked cyber threats with the need for resources to support banks: “We know well that cyber threats pose real risks to the banking system. We also recognize that community banks may have unique needs in preventing, remediating and responding to cyber threats. Therefore, regulators should ensure that a range of resources are available to support community banks and seek further opportunities to help build community bank resilience against these threats.”

Regulators are gearing up to educate banks about the transition, including those that the Federal Reserve is organizing in coordination with the ABA.

Conclusion

If a cat has nine lives, then perhaps it’s fitting that the FFIEC announced its CAT would be retired after nine years. The good news is that banks have good alternatives, and the march is on to select those that work best and address the evolving cyber risks and regulatory expectations banks will face in the years to come.

John Carlson is SVP, cybersecurity regulation and resilience at ABA.

Tags: Artificial intelligenceFraud
ShareTweetPin

Related Posts

New task force to tackle financial fraud, scams

Survey finds most U.S. adults were scammed in 2025

Compliance and Risk
July 8, 2026

More than two in three adults report they were personally scammed last year, with those scams costing an estimated $68 billion, or four times what was reported to federal authorities, according to a new survey by the Stop...

Banking young athletes in a new age

Banking young athletes in a new age

Retail and Marketing
July 8, 2026

For some banks, the value extends beyond new accounts to greater brand recognition and community connections.

ABA, BPI support proposed process to create drone no-fly zones

ABA, BPI support proposed process to create drone no-fly zones

Cybersecurity
July 7, 2026

In a joint letter to the FAA, ABA and BPI said that unauthorized unmanned aircraft activity near financial institution sites can create “obvious and legitimate risk” to physical security as well as cybersecurity, as the technology can be...

How to Talk About Your Bank’s Fintech Collaborations

The trust dividend

Technology
July 7, 2026

How regulatory and consumer expectations are shifting how partner banks compete for fintech deposits.

Banks’ private-credit conundrum

CRM and marketing automation remain core to modern bank marketing

Retail and Marketing
July 7, 2026

The increasing influence of marketing analytics and data platforms highlights the trend of turning customer data into actionable insights.

Survey: Most high school students want to know more about financial management

America at 250: How banks have powered opportunity – and will shape what comes next

Community Banking
July 6, 2026

In the months ahead, the ABA Foundation will work closely with banks to support more Americans on their path to wealth-building.

NEWSBYTES

Survey finds most U.S. adults were scammed in 2025

July 8, 2026

ABA urges lawmakers to restore limited NOL carryback option

July 8, 2026

Consumer credit was unchanged in May

July 8, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.