The Problem
For years, the FFIEC Cybersecurity Assessment Tool gave smaller financial institutions a familiar structure for discussing inherent risk and cybersecurity maturity. It was not perfect, but it was recognizable. Board members, examiners, IT managers, and consultants all knew what someone meant when they said, “We completed the CAT.”
That shorthand no longer works. The FFIEC announced that the CAT would be sunset on August 31, 2025, and pointed institutions toward newer resources including the NIST Cybersecurity Framework 2.0, CISA Cybersecurity Performance Goals, the Cyber Risk Institute Profile, and CIS Controls. The message is clear: cyber risk has moved beyond a static checklist.
What Changed
The CAT was released in 2015. Since then, the threat environment, vendor ecosystem, and regulatory expectations have changed substantially. Ransomware, cloud concentration risk, identity-based attacks, supply chain exposure, and third-party technology dependencies now drive much of the practical risk conversation.
NIST CSF 2.0 reflects that shift by adding a Govern function and expanding emphasis on enterprise risk management and cybersecurity supply chain risk management. That matters for community banks, credit unions, lenders, and other regulated organizations because governance is where examiner questions usually land: Who owns the risk? Who reports it? Who accepts it? Who makes sure remediation actually happens?
What Examiners Will Still Expect
A Risk-Based Assessment
The CAT disappearing does not remove the expectation that institutions assess cybersecurity risk. Examiners will still expect a current risk assessment that identifies threats, evaluates controls, prioritizes gaps, and ties remediation to management oversight. The format can change. The underlying discipline cannot.
Board and Management Visibility
A modern assessment should produce a management-level view, not just a spreadsheet. The board does not need every control mapping, but it does need a clear picture of material risks, planned remediation, resource needs, and accepted residual risk. If the assessment cannot support that conversation, it is not doing enough.
Traceability From Findings to Fixes
One of the biggest weaknesses in checklist-based assessments is that findings can sit in the document without becoming operational work. A defensible program connects each gap to an owner, due date, status, and evidence of closure. Examiners are less impressed by the framework you selected than by whether the institution is actually reducing risk.
Vendor and Supply Chain Coverage
The CAT era often treated vendor management as a related but separate exercise. That separation is harder to justify now. Core processors, MSPs, cloud providers, payment vendors, fintech partners, and security tooling vendors all shape the institution’s cyber risk. Your replacement assessment should bring third-party risk into the same risk conversation as internal controls.
How to Transition Without Overbuilding
Pick a Primary Framework
For many smaller institutions, NIST CSF 2.0 is a practical starting point because it is flexible, widely recognized, and broad enough to support governance, security operations, vendor oversight, and board reporting. CIS Controls can add more technical specificity. The Cyber Risk Institute Profile may be useful for financial-sector control mapping. The point is not to use every framework. The point is to choose a structure and use it consistently.
Create a Crosswalk From the Old CAT
If your prior assessment program was built around the CAT, do not throw away useful history. Map prior findings, maturity observations, and open remediation items into the new framework. This lets management show continuity: the tool changed, but the institution kept tracking risk and progress.
Separate Executive Reporting From Control Detail
A good assessment produces more than one output. Management needs a practical remediation tracker. The board needs a concise risk report. IT needs control-level detail. Examiners may ask for all of it. Building those views from the same underlying assessment prevents inconsistent answers and makes the program easier to maintain.
Update Policies and Calendars
If your information security policy, board calendar, or audit plan still says “complete the FFIEC CAT annually,” update it now. Replace that wording with a framework-neutral requirement to perform and report a cybersecurity risk assessment at least annually and after material changes to systems, vendors, threats, or operations.
Practical Checklist
- Board and management informed that the FFIEC CAT has been sunset
- Primary replacement framework selected and documented
- Prior CAT findings mapped into the new assessment structure
- Open cyber risk items assigned to owners, due dates, and evidence requirements
- Vendor and supply chain risks included in the cybersecurity assessment scope
- Information security policy updated to remove CAT-specific language
- Board reporting revised to show material risks, remediation progress, and accepted residual risk
- Assessment calendar updated for annual review and change-triggered updates
- Exam documentation package prepared with framework rationale and prior-year continuity