FFIEC Cybersecurity Assessment Tool Sunset

Frequently Asked Questions

On August 29, 2024, the Federal Financial Institutions Examination Council (FFIEC) released a statement announcing the sunsetting of the FFIEC Cybersecurity Assessment Tool (CAT). The following is a list of frequently asked questions to assist your institution in transitioning from the CAT to other available assessment tools. 

Question:
When is the CAT sunset date? 

Answer:
August 31, 2025. The CAT will be removed from the FFIEC website on this date.

Question: Why is the FFIEC sunsetting the CAT?

Answer:
The CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, the CAT alone is an inadequate assessment tool due in part to new technologies as well as advances in hacking techniques since the CAT was introduced 9 years ago. New and updated government and industry resources are now available that financial institutions can use to better manage current cybersecurity risks. 

Question: When should I start transitioning away from the CAT? 

Answer:
Analysis should begin immediately with a goal of using a new tool by August 31, 2025.

Question: Do I still need to assess my institution’s cybersecurity preparedness?

Answer:
Yes. Expectations for cybersecurity self-assessments have not changed; the only change is the retirement of the CAT from the portfolio of available self-assessment tools. 

Question: Do I have to stop using the CAT?

Answer:
No. This is an individual institution decision. However, the CAT alone is an inadequate assessment tool. Some financial institutions with personnel and financial resources could supplement it with other tools. See FAQ below: Can my financial institution supplement the CAT with another tool? 

Question: Can my financial institution supplement the CAT with another tool?

Answer:
Yes.  Some financial institution, particularly larger institutions, have historically supplemented the CAT with other tools, and it is possible to continue this practice. However, the alternative resources noted in the FFIEC Sunset Statement are believed to be more comprehensive, current, and regularly updated. Migration to these alternative resources can help eliminate the potential risks of utilizing a patchwork of resources and the need for constant review and updating of combined tools.  One year has been provided for evaluating alternative resources and tools.

Question: What assessment tool should I use?

Answer:
While we understand the importance of our institutions’ assessment of cybersecurity posture and maturity, the Texas Department of Banking does not endorse any particular tool. Each tool has its own strengths and benefits, and each institution should select one that best fits their individual needs, capabilities, and risk appetite. 

As noted in the FFIEC Statement, “Supervised financial institutions should ensure that any self-assessment tool(s) they utilize support an effective control environment and are commensurate with their risk. While the FFIEC does not endorse any particular tool, these standardized tools (referred to in the statement), can assist financial institutions in their self-assessment activities. The tools are not examination programs and the FFIEC members take a risk-focused approach to examinations. As cyber risk evolves, examiners may address areas not covered by all tools.” 

 

Still have questions? Contact the Director of IT Security Examinations - Mrs. Ruth Norris.