Preparing for the FFIEC CAT Phase-Out Exploring New Cybersecurity Assessment Options for Financial Institutions By BRYAN NEWLIN, CPA, CISA, Risk Advisory Services Principal, YHB The FFIEC Cybersecurity Assessment Tool (CAT) has been a critical resource for financial institutions to assess their cybersecurity preparedness. However, with the upcoming phase-out of the CAT on Aug. 31, 2025, financial institutions must prepare to adopt a new framework to maintain effective cybersecurity risk management. In this article, we’ll review the intentions of the CAT, key dates to be aware of, and explore viable alternatives for future assessments. The FFIEC CAT was first introduced to help financial institutions benchmark their cybersecurity posture, create a path for continuous cybersecurity improvement, and provide evidence for audits and examinations. Despite these benefits, the CAT presented several challenges, particularly for smaller institutions. With 494 declarative statements, scaling it for all sizes of financial institutions proved difficult, leading to the decision to phase it out. EXPLORING VIABLE ALTERNATIVES The announcement from the FFIEC on Aug. 29, 2024, provided examples of several frameworks and tools that are available to replace the CAT. Each option offers unique benefits, depending on the size and complexity of the institution. It will be important for financial institutions to select a cybersecurity risk management framework that aligns with its size and complexity and achieves the benefits required from its cybersecurity goals. Here, we briefly discuss the frameworks to give financial institutions a starting point for selecting the appropriate one: 1. NIST Cybersecurity Framework 2.0: The NIST Cybersecurity Framework 2.0 includes six core functions (Govern, Identify, Protect, Detect, Respond and Recover), making it a comprehensive option for managing cybersecurity risks. It’s widely recognized as the gold standard in risk management and is adaptable to financial institutions of various sizes. NIST CSF 2.0 can be used as a maturity model using a four-tiered system, providing a path to improving cyber maturity over time. The framework, however, is large and could prove laborious for a community bank to execute, given the myriad responsibilities that tend to fall to IT and Operations teams in smaller settings. 2. CISA Cyber Performance Goals: Designed specifically for small- and medium-sized businesses, the CISA Cyber Performance Goals are practical, threat-informed goals that align with NIST but exclude the Govern function. The goals themselves declare that they are not a framework. However, they offer actionable steps for improving both IT and operational technology (OT) cybersecurity. The CISA Cyber Performance goals could be considered a minimum set of cybersecurity standards, so if financial institutions choose to adopt this model, they may need to migrate to another, more sophisticated model after achieving the stated goals. 3. Cyber Risk Institute (CRI) Cyber Profile: Focused on financial institutions, the CRI Cyber Profile is a streamlined tool that helps financial institutions assess cyber risk based on the significance of its (the FI’s) impact on the financial systems. The Cyber Risk Institute (CRI) is a nonprofit coalition of financial institutions and trade associations that lends industry knowledge to the CRI Cyber Profile. Most community banks will likely fall into the Tier 4 category, which contains 208 diagnostic statements, significantly fewer than the FFIEC CAT’s 494 declarative statements. It’s self-contained within an Excel format and allows FIs to complete only the applicable tier, making it ideal for community financial institutions. If this sounds similar to the CAT, it is. Of all the frameworks evaluated here, the CRI Cyber Profile will look and feel most like the FFIEC CAT. 4. CIS Top 18 Controls: The CIS Top 18 Controls provide a set of best practices categorized into three implementation groups (IGs) based on a company’s size and cybersecurity resources. But just because 16 WEST VIRGINIA BANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==