Navigating the Sunset of the FFIEC Cybersecurity Assessment Tool (CAT): Key Takeaways from Our Webinar

The financial services sector is facing a major shift as the FFIEC Cybersecurity Assessment Tool (CAT) sunsets on August 31. Thousands of financial institutions worldwide have relied on the CAT to assess cybersecurity risk and maturity. Now, with its retirement, organizations must identify a new framework to guide their cybersecurity programs.

In our recent webinar, cybersecurity and risk experts David White (Axio) and John Goodman (Cyber Risk Institute – CRI) explored the impact of the CAT sunset, discussed alternative assessment frameworks, and provided guidance on how organizations can smoothly transition to a new model.

We encourage you to watch the recording of the webinar to hear the full discussion. In the meantime, below is a summary of the key takeaways to managing this FFIEC-CAT transition.

Key Takeaways from the Discussion

1. The FFIEC CAT Sunset: Why Now?

The FFIEC is retiring the CAT to shift its focus and resources to other priorities, citing the availability of more up-to-date cybersecurity frameworks. While the CAT will no longer be maintained, organizations should consult with their regulators about transition timing and whether a phased approach is acceptable.

2. The Impact on Financial Institutions

The CAT’s sunset affects thousands of financial institutions, many of whom have used it for both cybersecurity assessments and regulatory compliance. Transitioning to a new assessment tool requires re-establishing baselines, updating processes, and aligning with regulatory expectations—a shift that demands careful planning to ensure continuity and avoid compliance gaps.

3. What Are the Best Alternatives?

The FFIEC recommended four alternative frameworks for cybersecurity assessments:

• NIST Cybersecurity Framework (CSF) 2.0 – A well-known, flexible framework with 106 subcategories that now includes a new Govern function.
• CISA Cross-Sector Cybersecurity Performance Goals (CPGs) – A basic, baseline cybersecurity framework more suited for smaller organizations or third parties.
• CIS Critical Security Controls (CIS 18) – A technical control framework with 153 safeguards, useful but may require customization for regulatory compliance.
• CRI Profile – Built for financial services and aligned with global regulatory requirements, the CRI Profile extends the NIST CSF to include third-party risk management, governance, and enterprise technology controls.

4. Why the CRI Profile Stands Out

The CRI Profile is uniquely designed for financial institutions, incorporating compliance requirements from over two dozen financial regulations. Unlike more generalized frameworks, it provides a structured, scalable approach, making it suitable for both small institutions and global banks.

A key advantage of the CRI Profile is that it goes beyond cybersecurity and includes governance, enterprise technology, and third-party risk management—critical areas that financial institutions must address in regulatory exams.

Additionally, the CRI community offers continuous updates, expert guidance, and peer collaboration. This means organizations using the profile benefit from an evolving framework that remains aligned with the latest regulatory expectations and industry best practices.

5. How to Transition Successfully

To ensure a smooth transition from the CAT to a new assessment framework, organizations should:

1. Engage Leadership & Regulators – Clearly communicate why a new framework is necessary and how it aligns with regulatory expectations.
2. Evaluate Cost & Implementability – Consider direct costs, time investment, and ongoing compliance needs.
3. Select the Right Framework – Choose an assessment tool that aligns with business objectives, regulatory requirements, and operational capacity.
4. Plan & Communicate – Ensure internal stakeholders understand the changes and provide clear guidance on implementation.
5. Leverage Technology – Use assessment automation tools to streamline reporting, collaboration, and historical tracking.

Final Thoughts: Embracing the Future

While change can be challenging, transitioning away from the FFIEC CAT is also an opportunity to strengthen cybersecurity governance. By selecting a well-supported and robust framework—such as the CRI Profile—financial institutions can align with best practices while ensuring compliance with evolving regulations.

Watch the Full Webinar

For a deeper dive into these insights, watch the full webinar recording here.

Have questions about your transition? Connect with our experts or explore the CRI Profile and Axio’s assessment tools to support your cybersecurity program.

Contact Us