The Federal Financial Institutions Examination Council (FFIEC) announced it plans on sunsetting its Cybersecurity Assessment Tool (CAT) on Aug. 31, 2025. The CAT has been helping financial institutions identify their risks and determine their cybersecurity preparedness since it was released in June 2015 as a voluntary assessment tool.
The tool addresses fundamental security controls throughout various CAT maturity levels to ensure they are sound, as well as several new and updated government and industry resources financial institutions can leverage to better manage cybersecurity risks, according to an FFIEC press release.
“After much consideration, the FFIEC has determined not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. Supervised financial institutions can instead refer directly to these new government resources,” the release states. “CISA released Cross-Sector Cybersecurity Performance Goals in 2023 and is preparing to release Cybersecurity Performance Goals for the Financial Sector later this year. These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience. The FFIEC will discuss these resources during a banker webinar this Fall.”
Supervised financial institutions are advised to also consider industry-developed resources, such as the Cyber Risk Institute’s (CRI) Cyber Profile, and the Center for Internet Security Critical Security Controls. These tools can be used in conjunction with other resources (e.g., frameworks, standards, guidelines, leading practices) to better address and inform management of continuously evolving cyber security risk.
Covered entities also are advised to ensure any self-assessment tool(s) they utilize can support an effective control environment with respect to their risk profiles.
The FFIEC noted that it does not endorse any particular tool, it acknowledged that standardized tools can assist financial institutions in their self-assessment activities.
In response to the FFIEC’s decision, the National Credit Union Administration (NCUA) announced its Automated Cybersecurity Examination Tool (ACET) will continue to be supported and remain available for use by credit unions via the NCUA website.
“As geopolitical events evolve, credit unions of all sizes must understand and operate under the assumption that they remain targets of not just cybercriminals, but foreign nations that intend to cause harm to critical infrastructure in the United States—of which credit unions are a vital part,” the agency said in a press release. “As such, the NCUA encourages credit unions to use the ACET as a tool for assessing cybersecurity preparedness levels.”
The ACET is tailored specifically for credit unions and includes a user-friendly application interface, enhanced reporting features, and supplementary information. Credit unions are instructed to contact their local examiner with any questions or concerns.