Sunset of FFIEC Cybersecurity Assessment Tool
Summary:
The Federal Financial Institutions Examination Council (FFIEC) issued a statement to communicate the August 31, 2025, sunset of the FFIEC Cybersecurity Assessment Tool (CAT). The FFIEC will discuss new and updated government and industry resources during a banker webinar this Fall.
Statement of Applicability: The contents of, and material referenced in, this FIL apply to all FDIC-supervised financial institutions.
Highlights:
- The CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness.
- While fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.
- The FFIEC has determined not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals.
- The FFIEC will remove the CAT from its website on August 31, 2025.
- FDIC-supervised financial institutions may consider the use of industry-developed resources to assist in self-assessment activities.
- These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience.
- The FFIEC will discuss these resources during a banker webinar this Fall.