<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Does the FFIEC CAT/ACET Tool Still Matter for Financial Institutions?

4 min read
May 16, 2024

Reports of the death of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) have been greatly exaggerated. Following the first major update to the National Institute of Standards and Technology (NIST) Cybersecurity Framework in February 2024, speculation turned to the future of CAT. Would the tool be updated as well? Would it be replaced?

After all, the FFIEC modeled the CAT exam on NIST and the FFIEC Information Technology Examination Handbook (IT Handbook). Some guessed that NIST CSF 2.0 meant the CAT would require a refresh, especially given that a new version of PCI DSS also went into effect at the end of March 2024.

But the CAT tool is here to stay. CAT and its credit union cousin, the NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET), remains the best practice for financial institutions to assess and demonstrate their cyber preparedness and maturity to examiners. It provides a repeatable process for measuring cybersecurity preparedness over time.

While financial institutions may measure cybersecurity maturity and preparedness in other ways, the tool's popularity and the fact that the Office of Management and Budget has approved its use through 2025 means it will remain the dominant security assessment tool for FIs into the foreseeable future.

CAT has been updated to reflect changes in the cybersecurity landscape

Since 2015, the FFIEC has updated CAT to help financial institutions enhance their security posture. FFIEC IT Examination Handbook updates include the following:

FFIEC Management Booklet (November 2015)
FFIEC Retail Payment Systems Booklet (April 2016) 
FFIEC Information Security Booklet (September 2016) 
FFIEC Business Continuity Management Booklet (November 2019) 
FFIEC Architecture, Infrastructure, and Operations Booklet (June 2021)

The FFIEC has also released separate documents for financial institutions to consider, including:

Cyber Attacks Involving Extortion (November 2015) 
Cyber Insurance (April 2018) 
Security in a Cloud Computing Environment (April 2020) 
Authentication and Access to Financial Institution Services and Systems (August 2021) 
FFIEC Cybersecurity Resources Guide for Financial Institutions (November 2022)

Whether the FFIEC will provide additional updates (or entirely revamp) the CAT exam to reflect NIST CSF 2.0 is an open question. At this point, financial institutions should treat CAT/ACET as the tool of choice for assessing whether their security posture aligns with regulatory expectations.

How CAT/ACET allows FIs to assess their cyber maturity

The CAT tool helps financial institutions evaluate their cybersecurity maturity levels based on their inherent risk profiles. The tool defines different baseline controls for FIs depending on their risk levels.

Let’s look at some examples. Access enforcement, which ensures that users can only access the resources they are authorized to use, is considered a baseline control for all FIs, regardless of risk level. On the other hand, monitoring atypical usage, which involves detecting and analyzing unusual or suspicious user behavior, is a baseline control for FIs with a high-risk security profile.

The principle of least privilege, which states that users should only have access to the specific resources and applications necessary to perform their job duties, is a baseline control for institutions with moderate or high-risk security profiles.

Understanding these baseline controls and how they relate to your institution's inherent risk profile is crucial when using the CAT and ACET to assess your organization's cybersecurity maturity level. By aligning your cybersecurity practices with the appropriate baseline controls for your risk level, you can effectively improve elements of your institution's cybersecurity posture.

Should financial institutions consider other cybersecurity frameworks and tools?

As regulators continue to encourage the use of standardized approaches for measuring and improving cyber preparedness, financial institutions can consider additional tools and frameworks. The Office of the Comptroller of the Currency suggests that FIs might use a variety of cybersecurity frameworks, including FFIEC CAT, the Center for Internet Security’s Critical Cybersecurity Controls, and the Cyber Risk Institute’s Profile.

Additionally, the release of the Interagency Guidance on Third-Party Relationships: Risk Management in June 2023 is a reminder that financial institutions must continually assess and monitor vendor cyber controls as part of their overall vendor management program. The guidance clarified that financial institutions are responsible for their third parties’ cybersecurity controls, including disaster recovery and business continuity plans in the event of an incident.

The CAT exam addresses vendor management in its section on External Dependency Management, which evaluates how well financial institutions manage and oversee third-party relationships with access to an FI’s data and technology.

But the tool is not nearly as stringent in managing third-party relationships as the requirement from the Interagency Guidance mandating “comprehensive or frequent monitoring” of vendors engaged in “high-risk activities” related to sensitive consumer data and access to an FI’s core systems.

Financial institutions should ensure they have an effective vendor management system and take steps to ensure vendors are staying up to date with NIST best practices and recommendations.

For instance, Ncontracts adjusted its vendor services executive summaries to more closely align with NIST CSF 2.0 and SP 800-53 and PCI 4.0 standards so that clients can update their vendor risk assessments to reflect new information and have a better understanding of the cybersecurity maturity of their vendors. Financial institutions might also want to consider tools such as continuous vendor monitoring, which lets FIs monitor their vendors’ cybersecurity in real-time.

What does this mean for your financial institution?

  • Financial institutions should continue to use CAT/ACET as it remains the most recognizable cybersecurity framework explicitly designed for FIs.  
  • FIs might consider complementing CAT/ACET with other frameworks. 
  • Financial institutions may think about evolving their cybersecurity baseline with CAT/ACET. 
  • Institutions should consider Cybersecurity Assessment Tools that streamline CAT/ACET, along with platforms that enable vendor monitoring.

Want more information about managing your cyber risk? Download our whitepaper: "Not One and Done: Making the Case for Continuous Monitoring of Third-Party Cyber Risk."

New call-to-action


Subscribe to the Nsight Blog