Say Goodbye to the CAT

Goodbye to the CAT?  No, we’re not talking about getting rid of your stealthy household pet!  As you may know, the Federal Financial Institutions Examination Council (FFIEC) created and released the Cybersecurity Assessment Tool (CAT) 10 years ago to provide a repeatable and measurable process that financial institutions (FIs) can use to identify risks and measure their cybersecurity preparedness over time. Last November, the FFIEC announced its decision to sunset the tool due to additional government resources available to financial institutions (as noted in SR Letter 24-7: FFIEC Cybersecurity Assessment Tool Sunset Statement). Effective August 31, 2025, the FFIEC will sunset the CAT. To ensure Fifth District FIs have access to resources that will support the search for your next self-assessment tool, we’re providing you with some resources to help.

In a series of “Ask the Fed” sessions, the Federal Reserve and Conference of State Banking Supervisors shared information related to the CAT sunsetting and invited various government and non-profit industry partners to present available resources that may aid FIs in cybersecurity risk management and future self-assessment activities.  

• December 2024 — The Cybersecurity and Infrastructure Security Agency (CISA) discussed cyber performance goals and the cyber evaluation tool, along with other resources that can be used by FIs. 
• March 2025 — The Center for Internet Security (CIS) provided an overview of their cybersecurity framework and self-assessment tool. 
• April 2025 — The Cyber Risk Institute (CRI) presented the CRI Profile, a resource that connects key cybersecurity control principles to guidance from government agencies and is mapped to numerous global standards and supervisory expectations. CRI represents that the CRI Profile may also be useful for FIs in performing a cybersecurity self-assessment. 

Each of these sessions’ presentations and audio can be found at the “Ask the Fed” link above.

As a reminder, the Federal Reserve System and the Federal Reserve Bank of Richmond do not endorse any specific cybersecurity self-assessment tool but are providing information and resources to our financial institutions to assist in your overall risk management process and activities. Each of the resources presented by the various agencies can be found on page 3 of the Federal Reserve’s Cybersecurity Resources for Community Banks. 

As Fifth District financial institutions continue to grow and expand offerings, it’s important for bank management and boards of directors to recognize and understand risks to your institution, including cybersecurity. As part of the Richmond Fed’s Information Technology examination practices, our examiners continue to evaluate the preparation of each supervised institution for cyber and operational threats — aligned with the risk assessment expectations outlined in Federal Reserve Regulation 12 CFR 208, Appendix D-2: Interagency Guidelines Establishing Standards for Safeguarding Customer Information.

Our Richmond Fed Information Technology examiners are available to discuss specific questions for your institution. Reach out to your supervision central point of contact or if you do not know your CPC, you also can contact us at supervisionoutreach@rich.frb.org.