What Examiners Will Expect After the FFIEC CAT Retires

The FFIEC's decision to sunset the Cybersecurity Assessment Tool (CAT) on August 31, 2025, has left many financial institutions wondering: What comes next? 

While the CAT provided a familiar, structured way to assess cybersecurity risk, its retirement doesn't mean the expectations go away. Financial institutions across all sectors, including banks, credit unions, mortgage companies, wealth management firms, and other financial services organizations, will still need to demonstrate mature, risk-based cybersecurity programs. 

Here's what your examiners will likely expect after the CAT is gone, and how your institution can prepare. 

Choosing a Cybersecurity Framework

Even without the CAT, your institution still needs a clearly defined and consistently applied structure for evaluating and managing cybersecurity risk. Examiners will expect to see that you've adopted a recognized framework, not just ad hoc controls or a legacy checklist. 

Some of the leading frameworks now recommended by the FFIEC include: 

• NIST Cybersecurity Framework (CSF) 2.0: A flexible, widely used framework designed to help organizations of all sizes manage and reduce cybersecurity risk through five core functions: Identify, Protect, Detect, Respond, and Recover. 
• CISA Cybersecurity Performance Goals (CPGs): A set of voluntary, baseline cybersecurity practices issued by the Cybersecurity and Infrastructure Security Agency, including sector-specific goals (e.g., financial sector CPGs) designed to support measurable resilience. 
• Center for Internet Security (CIS) Controls: A prioritized set of cybersecurity actions that provide specific and actionable ways to stop today's most pervasive cyberattacks. 
• Cyber Risk Institute (CRI) Profile: A comprehensive framework specifically designed for all financial sector organizations, including banks, credit unions, mortgage companies, and wealth management firms. The CRI Profile maps to NIST CSF and regulatory requirements while integrating seamlessly with Enterprise Risk Management programs, including Business Continuity, Third-Party Risk Management, Information Security, and Strategic Management functions. 

While NIST CSF 2.0, CISA CPGs, and CIS Controls provide excellent general cybersecurity guidance applicable across industries, the CRI Profile stands alone as the only framework designed specifically to address the unique regulatory environment, risk profile, and operational characteristics of financial institutions. 

Framework selection should align with your institution's risk profile, resources, and regulatory requirements. The key is demonstrating that your chosen framework is implemented consistently, regularly updated, and appropriately scaled to your organization's size and complexity. 

This kind of right-sized control mapping is what sets a mature program apart, and what regulators increasingly expect. 

Integration with Enterprise Risk Management (ERM)

Completing a comprehensive cyber assessment is not just about regulatory compliance; it's about gaining critical insights that drive strategic decision-making across your institution. Modern cybersecurity programs don't operate in isolation, and examiners increasingly expect to see how cybersecurity integrates with your broader ERM framework. 

The most effective assessments provide clarity and insights that support multiple risk management disciplines: 

• Business Continuity Planning: Understanding how cyber incidents could impact critical business functions and recovery objectives. For example, CRI Assessment diagnostic statement GV.RM-09.02 maps directly to the FFIEC Business Continuity Management Examination Handbook objectives, demonstrating how resilience programs ensure organizations can continue operating during adverse incidents. 
• Third Party Risk Management: Evaluating vendor cybersecurity practices and contract terms around data protection. Multiple CRI diagnostic statements across multiple functions and associated categories (i.e., GV.SC, EX.DD, EX.CN) directly address third-party risk management strategy, vendor assessments, and evaluation of third parties' business continuity and incident response programs, all of which align with FFIEC Third-Party Risk Management examination expectations. 
• Information Security: Aligning cybersecurity controls with data protection and privacy requirements and assessment results providing documentation that supports FFIEC Information Security examination objectives. 
• Strategic Management: Connecting cyber risk decisions to business objectives and resource allocation through governance-focused diagnostic statements that demonstrate board oversight and strategic alignment. 

The right assessment framework provides value beyond regulatory compliance. It offers actionable insights that inform business continuity planning, guide third-party risk decisions, and help leadership understand how cybersecurity investments support strategic objectives. This comprehensive view, backed by specific regulatory mappings, is what separates reactive compliance from proactive risk management. 

Related: How Is Your Financial Institution Managing AI Cybersecurity Risks? 

Clear Governance and Accountability  

With the retirement of the CAT, regulators are shifting their focus from standardized checklists to how well cybersecurity is actually governed within your institution. They'll be looking closely at who owns cyber risk, how decisions are made, and whether leadership is engaged in a meaningful way. 

Examiners expect to see a governance structure that clearly outlines responsibilities across the institution, from IT and risk management to compliance and the board. For boards and senior leadership, involvement must go beyond passive review. Regulators want evidence that leadership is informed, asking critical questions, and actively overseeing the bank's cyber risk posture. 

Internally, your institution should be able to show how cybersecurity is integrated into your broader risk management framework and how it connects to vendor management, business continuity, operational risk, and strategic planning. 

Related: A Guide to Governance for Financial Institutions 

A Continuous Approach to Assessment 

The importance of completing regular cyber assessments cannot be overstated. One of the limitations of the FFIEC CAT was its tendency to be used as a once-a-year exercise. With its retirement, regulators are signaling a shift toward continuous improvement and ongoing risk assessment. 

Cyber threats don't follow a set schedule, and neither should your response. Examiners will be looking for signs that your institution treats cybersecurity as a living, breathing part of operations, not a static project. 

That means your institution should: 

• Regularly review and update cybersecurity policies, controls, and procedures in response to emerging threats, technology changes, and regulatory updates. 
• Incorporate real-time risk monitoring into your processes, whether that's tracking vendor cyber posture, reviewing internal control performance, or watching for threat intel alerts. 
• Conduct periodic testing and exercises, such as tabletop scenarios, incident response drills, and vulnerability scans, to assess readiness and uncover blind spots. 
• Use post-event analysis, exam feedback, and lessons learned to continuously strengthen your program. 

This doesn't require more headcount or an overwhelming amount of work. With the right platform, many of these activities can be automated, scheduled, and reported on, freeing up your team to focus on strategy. 

Acting on Assessment Results

Completing a cyber assessment is only the beginning; the real value comes from what you do with the results. Once your assessment is complete, best practices include: 

• Governance Presentation: Present assessment findings to your IT steering committee, board risk committee, or equivalent governance body. This should include identified gaps, risk prioritization, and recommended remediation strategies. 
• Strategic Planning: Use assessment results to inform your cybersecurity roadmap and strategic planning. Assessment findings should directly influence technology investments, resource allocation, and program priorities. 
• Budget Planning: Leverage assessment insights to support budget requests and justify cybersecurity investments. Quantified risk findings help leadership understand the business case for security improvements. 
• Remediation Planning: Develop a formal remediation plan with timelines, responsible parties, and success metrics. Track progress against this plan and report regularly to the leadership. 
• Continuous Monitoring: Implement ongoing monitoring to track control effectiveness and identify new risks as they emerge. Assessment results should inform your risk indicators and monitoring strategies. 

Exam-Ready Documentation

One of the most useful aspects of the FFIEC CAT was its ability to produce clean, examiner-friendly reports. With its retirement, banks will need to ensure they can still demonstrate the strength and maturity of their cybersecurity programs in a format that examiners can easily understand and evaluate. 

Examiners won't expect perfection, but they will expect clarity. 

That means being able to show: 

• Which cybersecurity framework you've adopted and why 
• How controls are tied to your risks 
• Who's responsible for oversight and how governance is structured 
• What changes or improvements have been made over time 
• Evidence of risk-based decision-making, not just compliance checklists 

Documentation should connect the dots between your framework, your risk, and your actual practices. Whether that's through dashboards, board reports, policy updates, or assessment results, the goal is to tell a cohesive story of how your institution is managing cyber risk. 

If you're using a platform like Ncyber, this process becomes much easier. Tools that offer built-in reporting, version tracking, and remediation management can help you stay both organized and examiner-ready, without creating more manual work for your team. 

Ultimately, documentation isn't just for regulators. It's a critical internal resource that enables transparency, supports accountability, and reinforces your institution's commitment to protecting its systems, data, and customers.

Related: What You Need to Know Ahead of Your FI's Next Exam

Final Thoughts: Cybersecurity Expectations Aren't Going Anywhere 

The retirement of the FFIEC CAT marks the end of a familiar tool, but not the end of regulatory expectations. In fact, it's a clear signal that cybersecurity oversight is evolving, and financial institutions are expected to evolve with it. 

Examiners will still look for thoughtful, risk-based cybersecurity programs backed by documented frameworks, strong governance, and clear evidence of maturity. The difference now is that you have more flexibility to tailor your approach, so long as it's well-reasoned, well-documented, and aligned with your institution's risk profile. 

By taking a proactive approach now, selecting a modern framework, right-sizing your controls, and preparing your team, you can stay ahead of regulatory changes and build a stronger, more resilient cybersecurity posture. 

Ready to Move Beyond the CAT? 

The CAT sunset represents both a challenge and an opportunity. While you'll need to find new ways to assess and document your cybersecurity program, you also have the chance to adopt more modern, comprehensive approaches that better serve your institution's needs. 

Don't wait until August 31st to start planning. The institutions that succeed in the post-CAT environment will be those that begin their transition now, giving themselves time to settle into their updated approach, implement proper governance, and establish the documentation practices that examiners will expect. 

The regulatory landscape is evolving, so make sure your cybersecurity program evolves with it. 

Want help building an exam-ready cybersecurity program without starting from scratch? Ncyber leverages the CRI Profile — the only financial industry-specific cybersecurity framework — to deliver comprehensive cybersecurity assessments tailored to banking regulations and examiner expectations.