Financial regulatory agencies are sunsetting a tool to assess cyber risks
A group of five federal financial regulatory agencies is sunsetting a tool that banks use to assess cybersecurity risks, part of what an Office of the Comptroller of the Currency official said is an acknowledgment that processes must evolve alongside an ever-changing threat landscape.
The Federal Financial Institutions Examination Council revealed last month that the Cybersecurity Assessment Tool will go dark Aug. 31, 2025, a little more than a decade after it was introduced as a voluntary instrument intended to help financial institutions pinpoint their risks and evaluate their cyber preparedness.
Patrick J. Kelly, director for critical infrastructure policy in the OCC’s Operational Risk Division, said in an interview with FedScoop that alternative options have emerged over the past 10 years that better meet financial institutions’ needs. Two of those options, both endorsed by the FFIEC, are the National Institute of Standards and Technology’s Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals.
“Knowing that there are federal agencies that are in the standards development space and in the threat space that have dedicated resources now that are committed to being updated on a regular basis, we felt comfortable sunsetting the Cybersecurity Assessment Tool and steering institutions more towards some of those resources,” Kelly said.
The decision in 2015 to launch the CAT came at a time when the FFIEC — which comprises the OCC, the Federal Reserve, the Federal Deposit Insurance Corp., the Consumer Financial Protection Bureau and the National Credit Union Administration — observed a “big chasm” in banks’ cyber capabilities, according to Kelly.
Major financial institutions were able to implement protections called out in NIST’s first cybersecurity framework, which was released in February 2014. But for banks “that don’t have their names on the sides of football stadiums,” Kelly said, the tasks were often far too daunting.
The FFIEC also felt that there were missing pieces in national cyber frameworks of that kind, Kelly said; NIST’s 1.0 document, for example, didn’t cover governance, supply chain or third-party dependencies.
“We saw an opportunity to highlight this as a way to bridge between what the NIST cybersecurity framework is doing and some of the steps that institutions can take on that journey to improve and mature their cybersecurity preparedness,” Kelly said of CAT.
But over the course of the next several years, the gap between financial institutions narrowed as NIST and CISA leveled up. NIST expanded its coverage of cyber measures “near and dear to us as regulators,” Kelly said, providing significant updates “to address current threats.”
CISA’s Cybersecurity Performance Goals, meanwhile, didn’t “try to boil the ocean with the entire framework,” Kelly said. The cyber agency is currently developing sector-specific performance goals, he added, which are expected to be released between now and the sunsetting of CAT.
There have also been efforts to get industry more involved, most notably with the Cyber Risk Institute’s cybersecurity profile, which was developed with input from financial institutions big and small, Kelly said. Given that and the efforts from NIST and CISA, the FFIEC saw an “opportunity for us to sunset the tool, rather than updating six to 12 months to align with these new tools and make sure that we’re all speaking from the same set of music,” he added.
Though CAT, the NIST framework and CISA’s CPGs are all self-assessment tools, the FFIEC agencies still have a critical supervisory role to play, starting with communicating the changes in cyber policy to the institutions they regulate — and reassuring them that these shifts won’t undercut government harmonization efforts.
“Industry is not a monolith. There are some institutions that have [utilized] the Cybersecurity Assessment Tool, and transitioning will be potentially challenging,” Kelly said. But the government resources that will sub in for CAT are “all mapped to each other. They’re all integrated together in some meaningful way, so that industry will have a sort of pathway from the performance goals to the broader framework as they mature their operations.”
Starting this fall, the OCC will be conducting webinars and training sessions with financial institutions about the phase-out of CAT and the adoption of NIST and CISA guidelines, in addition to posting cybersecurity work programs on the agency’s website leading up to the switch. And in the meantime, Kelly said banks should keep in mind a few simple things to best manage their cybersecurity risks.
“Understand your infrastructure, understand the controls that need to be in place,” he said, “to be safe and to protect your institution and your customers.”
