In a significant shift for the financial services sector, the Federal Financial Institutions Examination Council (FFIEC) recently announced that its Cybersecurity Assessment Tool (CAT) will be sunset in August 2025. Since 2015, the FFIEC CAT has been a standard tool for financial institutions to assess their cybersecurity risk management practices. This announcement may represent a major change for institutions that commonly use the CAT, but also presents an opportunity. Financial institutions could use this announcement as a catalyst for the adoption of a new framework that enables many benefits beyond self-assessment. Let’s dive into what this announcement means, why it’s happening, and how Axio, in partnership with the Cyber Risk Institute (CRI), can help you more efficiently manage cyber risk in your institution.
The FFIEC’s Announcement: A Move Toward Greater Resilience
The FFIEC notes that the decision to sunset the CAT supports a “whole-of-government” approach aimed at improving security and resilience across critical infrastructure sectors, including financial services. This holistic strategy acknowledges that critical infrastructure operators face many of the same threats and foundational practices can help mitigate systemic risks.
Some factors the FFIEC noted as influencing the CAT’s retirement include the National Institute of Standards and Technology (NIST) releasing the considerably updated version 2.0 of the Cybersecurity Framework (CSF) earlier this year and the Cross-Sector Cybersecurity Performance Goals (CPGs) published by CISA. There is great alignment between the CSF and CPGs and these resources are representative of the whole-of-government approach to addressing the shared risks of critical infrastructure operators.
Suggested Alternatives for Self-Assessment: CIS Controls and CRI Profile
There are many cybersecurity frameworks and models, but if you’re considering a switch, which one is the right one for you? The FFIEC suggests that financial institutions consider resources “to better address and inform management of continuously evolving cyber security risk,” along with frameworks like:
- Center for Internet Security (CIS) Controls: The CIS Controls are a set of “prescriptive, prioritized, and simplified set of best practices that you can use to strengthen your cybersecurity posture.” They are regarded as being actionable for organizations of varied maturity levels and help support compliance with many common regulatory frameworks.
- CRI Profile v2.0: CRI, a not-for-profit coalition of financial institutions and trade associations, developed the Profile specifically for the financial services sector. It is an extension of the NIST CSF and has gained recognition from international supervisory and regulatory bodies. It is an excellent alternative for financial institutions interested in more efficiently managing compliance obligations.
Why Consider the CRI Profile?
While the CIS Controls provide a solid foundation for improving general cybersecurity practices, the CRI Profile v2.0 is the benchmark for cybersecurity and resiliency in the financial services industry. The CRI Profile offers several distinct advantages:
- Built for the Financial Sector: Developed by industry experts specifically for the financial sector, the CRI Profile addresses the unique challenges and regulatory requirements faced by financial services institutions. The CRI Profile helps organizations consistently evaluate their cybersecurity capabilities and provides a common method for collaboration between firms.
- Alignment with NIST CSF 2.0: The CRI Profile tailors and extends the widely used NIST CSF 2.0. The CRI Profile provides an additional level of detail, called Diagnostic Statements, while keeping in alignment with the well-known structure of the CSF.
- International Recognition: The CRI Profile has gained recognition from international regulatory and industry bodies. This global recognition helps financial institutions more effectively operate across multiple jurisdictions.
- Synthesis of Regulatory Expectations: One of the most compelling reasons to consider the CRI Profile is the consolidation of over 2,500 regulatory expectations, including the FFIEC CAT, into 318 control objectives. The CRI Profile offers a streamlined set of objectives that help institutions rationalize the wide range of regulatory requirements they face.
Supporting Your Transition: How Axio Can Help
While transitioning to a new cybersecurity framework can be resource intensive, the Axio platform can help you make the most of your switch. Axio’s easy-to-use platform enables dynamic and collaborative decision-making. It enables your institution to gain a greater understanding of your cybersecurity posture through assessment, make more informed decisions through cyber risk quantification, and understand how your insurance coverage aligns with your risk exposure.
The Axio Assessment platform can help your institution realize the benefits of adopting the CRI Profile, while adding additional value, such as:
- Accelerate Your Profile Adoption Through Mapping: Use your existing CAT self-assessment results to jump start your CRI Profile self-assessment.
- Facilitate Your CRI Profile Self-Assessment: The Axio platform makes it easy to complete a CRI Profile self-assessment and document rationale for your responses.
- Set Targets and Compare Results: Chart the path of your cybersecurity program by defining targets in alignment with your cybersecurity program roadmap and track your progress.
- Document Evidence: Built-in functionality facilitates documentation of evidence to support responses to regulatory examinations.
- Capture and Track Actions Items: Manage and assign actions items to help you maintain and improve your cybersecurity posture.
The FFIEC’s decision to sunset the CAT provides financial institutions with an opportunity to carefully evaluate the tools that they are using to manage cyber risks. The powerful combination of the CRI Profile and Axio can help institutions consistently evaluate their operational resilience and navigate an ever-changing threat environment.
Visit CRI’s website if you are a financial institution that is interested in becoming a CRI member. If you’re interested in learning more about how Axio can help you in your adoption of the CRI Profile, contact us to speak to one of our cyber risk experts.