The FFIEC's decision to sunset the Cybersecurity Assessment Tool (CAT) on August 31, 2025, has left many financial institutions wondering: What comes next?
While the CAT provided a familiar, structured way to assess cybersecurity risk, its retirement doesn't mean the expectations go away. Financial institutions across all sectors, including banks, credit unions, mortgage companies, wealth management firms, and other financial services organizations, will still need to demonstrate mature, risk-based cybersecurity programs.
Here's what your examiners will likely expect after the CAT is gone, and how your institution can prepare.
Even without the CAT, your institution still needs a clearly defined and consistently applied structure for evaluating and managing cybersecurity risk. Examiners will expect to see that you've adopted a recognized framework, not just ad hoc controls or a legacy checklist.
Some of the leading frameworks now recommended by the FFIEC include:
While NIST CSF 2.0, CISA CPGs, and CIS Controls provide excellent general cybersecurity guidance applicable across industries, the CRI Profile stands alone as the only framework designed specifically to address the unique regulatory environment, risk profile, and operational characteristics of financial institutions.
Framework selection should align with your institution's risk profile, resources, and regulatory requirements. The key is demonstrating that your chosen framework is implemented consistently, regularly updated, and appropriately scaled to your organization's size and complexity.
This kind of right-sized control mapping is what sets a mature program apart, and what regulators increasingly expect.
Completing a comprehensive cyber assessment is not just about regulatory compliance; it's about gaining critical insights that drive strategic decision-making across your institution. Modern cybersecurity programs don't operate in isolation, and examiners increasingly expect to see how cybersecurity integrates with your broader ERM framework.
The most effective assessments provide clarity and insights that support multiple risk management disciplines:
The right assessment framework provides value beyond regulatory compliance. It offers actionable insights that inform business continuity planning, guide third-party risk decisions, and help leadership understand how cybersecurity investments support strategic objectives. This comprehensive view, backed by specific regulatory mappings, is what separates reactive compliance from proactive risk management.
Related: How Is Your Financial Institution Managing AI Cybersecurity Risks?
With the retirement of the CAT, regulators are shifting their focus from standardized checklists to how well cybersecurity is actually governed within your institution. They'll be looking closely at who owns cyber risk, how decisions are made, and whether leadership is engaged in a meaningful way.
Examiners expect to see a governance structure that clearly outlines responsibilities across the institution, from IT and risk management to compliance and the board. For boards and senior leadership, involvement must go beyond passive review. Regulators want evidence that leadership is informed, asking critical questions, and actively overseeing the bank's cyber risk posture.
Internally, your institution should be able to show how cybersecurity is integrated into your broader risk management framework and how it connects to vendor management, business continuity, operational risk, and strategic planning.
Related: A Guide to Governance for Financial Institutions
The importance of completing regular cyber assessments cannot be overstated. One of the limitations of the FFIEC CAT was its tendency to be used as a once-a-year exercise. With its retirement, regulators are signaling a shift toward continuous improvement and ongoing risk assessment.
Cyber threats don't follow a set schedule, and neither should your response. Examiners will be looking for signs that your institution treats cybersecurity as a living, breathing part of operations, not a static project.
That means your institution should:
This doesn't require more headcount or an overwhelming amount of work. With the right platform, many of these activities can be automated, scheduled, and reported on, freeing up your team to focus on strategy.
Completing a cyber assessment is only the beginning; the real value comes from what you do with the results. Once your assessment is complete, best practices include:
One of the most useful aspects of the FFIEC CAT was its ability to produce clean, examiner-friendly reports. With its retirement, banks will need to ensure they can still demonstrate the strength and maturity of their cybersecurity programs in a format that examiners can easily understand and evaluate.
Examiners won't expect perfection, but they will expect clarity.
That means being able to show:
Documentation should connect the dots between your framework, your risk, and your actual practices. Whether that's through dashboards, board reports, policy updates, or assessment results, the goal is to tell a cohesive story of how your institution is managing cyber risk.
If you're using a platform like Ncyber, this process becomes much easier. Tools that offer built-in reporting, version tracking, and remediation management can help you stay both organized and examiner-ready, without creating more manual work for your team.
Ultimately, documentation isn't just for regulators. It's a critical internal resource that enables transparency, supports accountability, and reinforces your institution's commitment to protecting its systems, data, and customers.
Related: What You Need to Know Ahead of Your FI's Next Exam
The retirement of the FFIEC CAT marks the end of a familiar tool, but not the end of regulatory expectations. In fact, it's a clear signal that cybersecurity oversight is evolving, and financial institutions are expected to evolve with it.
Examiners will still look for thoughtful, risk-based cybersecurity programs backed by documented frameworks, strong governance, and clear evidence of maturity. The difference now is that you have more flexibility to tailor your approach, so long as it's well-reasoned, well-documented, and aligned with your institution's risk profile.
By taking a proactive approach now, selecting a modern framework, right-sizing your controls, and preparing your team, you can stay ahead of regulatory changes and build a stronger, more resilient cybersecurity posture.
The CAT sunset represents both a challenge and an opportunity. While you'll need to find new ways to assess and document your cybersecurity program, you also have the chance to adopt more modern, comprehensive approaches that better serve your institution's needs.
Don't wait until August 31st to start planning. The institutions that succeed in the post-CAT environment will be those that begin their transition now, giving themselves time to settle into their updated approach, implement proper governance, and establish the documentation practices that examiners will expect.
The regulatory landscape is evolving, so make sure your cybersecurity program evolves with it.
Want help building an exam-ready cybersecurity program without starting from scratch? Ncyber leverages the CRI Profile — the only financial industry-specific cybersecurity framework — to deliver comprehensive cybersecurity assessments tailored to banking regulations and examiner expectations.