The Federal Financial Institutions Examination Council (FFIEC) sunset the Cybersecurity Assessment Tool (CAT) and removed it from the FFIEC website on August 31, 2025.
In 2015, Comptroller of the Currency Thomas J. Curry identified cyber threats as among the foremost risks facing banks. The FFIEC released the CAT self-assessment tool in 2015 as part
of a three-prong approach to address this concern, along with information sharing and supervisory examinations. The CAT moved cybersecurity concerns outside a purely IT process by integrating them into governance and oversight functions with a framework that considered the cybersecurity lifecycle: identify what to protect, implement controls and processes to protect
it, detect security breaches, respond to those breaches, and recover what was compromised.
Over the past decade, several new and updated government and industry resources have become available to guide cybersecurity risk assessments, support effective controls, evaluate vulnerabilities, and implement preparedness programs. The tools also keep management informed of continually evolving cyber security risks such as social engineering, ransomware, internal threats, third-party access to systems and networks, misuse of AI, and others.
These governmental resources include the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the 2023 Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. CISA is preparing to release Cybersecurity Performance Goals for the Financial Sector later this Industry-developed resources include the Cyber Risk Institute’s (CRI) Cyber Profile and the Center for Internet Security Critical Security Controls.
To drive this oversight, Audit Committee members should ask:
- What framework has the institution transitioned to?
- Where is management at in the transition?
- What was identified as part of the implementation of the new framework?
- What are the third-party (vendor) impact/risks, and have they been addressed?
For guidance on implementing the best cyber risk assessment tools and controls for your financial institution, contact Jessica Dore, CISA, at 989.797.8391 or [email protected].