FFIEC Cybersecurity Assessments After the CAT: A Practical Guide for Banks

For more than a decade, the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) gave banks and credit unions a familiar, structured way to measure cyber readiness. That era has ended. The FFIEC formally retired the CAT on August 31, 2025, and institutions are now expected to assess cybersecurity using contemporary frameworks while still meeting examiner expectations set out in the FFIEC IT Examination Handbook. This shift is not a relaxation of expectations — it is a maturation of them. Examiners still want to see disciplined, risk-based cybersecurity programs; they simply no longer prescribe the CAT as the vehicle for demonstrating it.

This guide explains what FFIEC examiners actually look for today, how to transition cleanly away from the CAT, and how NOXMON and RISKMON help banks and credit unions deliver examiner-ready evidence and board-level reporting grounded in quantified financial risk.

What FFIEC examiners expect today

The FFIEC is an interagency body whose member agencies — including the OCC, FDIC, Federal Reserve, NCUA, and CFPB — examine financial institutions for safety and soundness. Cybersecurity has become a central pillar of that examination. While the CAT is gone, the underlying examiner expectations have remained remarkably consistent and are documented across the FFIEC IT Examination Handbook booklets, particularly Information Security, Management, and Business Continuity Management.

In practice, examiners want evidence of the following:

Governance and oversight. A board and senior management that understand the institution's cyber risk profile, set risk appetite, and receive regular, meaningful reporting on cybersecurity posture.

A documented, risk-based program. Written policies, a current risk assessment, and controls that are proportionate to the institution's size, complexity, and risk exposure.

Identification of inherent risk. A clear understanding of the institution's inherent risk — driven by technologies, delivery channels, third-party relationships, and the volume and sensitivity of data — independent of the controls in place.

Control maturity and effectiveness. Evidence that controls are not just documented but operating effectively, with continuous improvement over time.

Third-party and concentration risk management. Due diligence and ongoing monitoring of vendors and critical service providers.

Incident response and resilience. Tested incident response and business continuity plans, including the ability to recover critical operations.

The retirement of the CAT did not remove any of these expectations. What changed is that institutions now choose the framework that best demonstrates them.

The transition away from the CAT

The most important message for any bank or credit union is this: do not simply stop assessing. The CAT's two pillars — the Inherent Risk Profile and the Cybersecurity Maturity model across five domains — captured concepts that remain extremely useful. Inherent risk and maturity are still the right way to think about cyber posture; the CAT was just one way to express them.

The FFIEC has pointed institutions toward established, well-maintained frameworks to fill the gap, most commonly:

NIST Cybersecurity Framework (CSF) 2.0. The 2024 update added a sixth function, GOVERN, alongside Identify, Protect, Detect, Respond, and Recover. CSF 2.0 is sector-agnostic, widely understood by examiners, and maps cleanly to the governance and risk-based expectations FFIEC emphasizes.

The Cyber Risk Institute (CRI) Profile. Built specifically for the financial sector, the CRI Profile harmonizes CSF and a wide range of regulatory expectations into a single set of diagnostic statements. It is purpose-built for banks and credit unions and is increasingly the framework of choice for FFIEC-regulated institutions.

CISA Cybersecurity Performance Goals (CPGs). A baseline set of high-impact practices useful for smaller institutions or as a prioritization lens.

The practical path is to select a primary framework — typically NIST CSF 2.0 or the CRI Profile — map your existing controls and prior CAT results into it, identify and close gaps, and document the rationale so examiners can follow your reasoning. Preserving the inherent-risk and maturity concepts within the new framework provides continuity and shows examiners a thoughtful, deliberate transition rather than an abandonment.

How NOXMON runs an FFIEC-aligned assessment

NOXMON approaches the FFIEC assessment as a risk quantification exercise, not a checkbox audit. Our methodology mirrors the concepts examiners value while expressing them in modern frameworks and, critically, in financial terms.

Step 1 — Scope and inherent risk. We profile the institution's technologies, delivery channels, third-party relationships, and data sensitivity to establish an inherent-risk baseline — the same concept the CAT captured, now framed against NIST CSF 2.0 or the CRI Profile.

Step 2 — Control and maturity assessment. We evaluate control design and operating effectiveness across the chosen framework's functions and categories, scoring maturity and capturing objective evidence.

Step 3 — Quantify exposure with RISKMON. Using RISKMON, NOXMON translates each gap into financial exposure using FAIR-based quantification. Instead of a heat map, the board sees the dollar value of loss exposure tied to specific weaknesses, which makes prioritization and budget decisions defensible.

Step 4 — Remediation roadmap. Gaps become a prioritized roadmap, with findings and POA&M items tracked to closure inside RISKMON. A single set of control evidence is mapped across overlapping expectations — CSF 2.0, the CRI Profile, and other obligations such as GLBA Safeguards or state requirements — so institutions test once and report many times.

Step 5 — Continuous monitoring and reporting. RISKMON provides 24x7 continuous monitoring and examiner-ready, board-level dashboards. NOXMON itself uses RISKMON to monitor its own clients, so the evidence trail stays current between examinations rather than being reconstructed at the last minute. This produces the inherent-risk plus maturity insight examiners expect, with reporting that satisfies both the boardroom and the examination team.

Use case: a community bank modernizes its program

A multi-branch community bank had relied on the CAT for years and was uncertain how to demonstrate readiness after its retirement. NOXMON mapped the bank's existing CAT results and controls into the CRI Profile, preserving its inherent-risk and maturity history while modernizing the framework. RISKMON quantified the institution's top exposures — concentrated in third-party dependencies and legacy authentication — in dollar terms, allowing the board to fund multifactor authentication and vendor monitoring improvements with a clear return on risk reduction. At the next examination, the bank presented a coherent transition narrative and current evidence rather than a stale spreadsheet.

"We were worried the end of the CAT would leave us guessing what examiners wanted. NOXMON gave us a clear framework and RISKMON put a dollar figure on every gap, so our board finally understood the trade-offs. The exam went smoother than any we've had." — Chief Risk Officer, regional community bank

Use case: a credit union earns board confidence

A mid-sized credit union struggled to give its board cyber reporting that was more than a color-coded grid. The volunteer board wanted to understand risk in business terms. NOXMON ran a NIST CSF 2.0 assessment with emphasis on the new GOVERN function, then used RISKMON to express the credit union's exposure as quantified financial loss and to track remediation progress over time. The board could now see that a specific investment reduced expected annual loss by a measurable amount, transforming cybersecurity from an abstract worry into a managed risk.

"For the first time, our board could ask informed questions about cyber risk. Seeing exposure in dollars instead of red, yellow, and green changed the entire conversation, and the examiner-ready evidence was already there when we needed it." — VP of Information Security, member-owned credit union

Getting started

The retirement of the CAT is an opportunity, not a setback. Institutions that move deliberately to NIST CSF 2.0 or the CRI Profile, preserve the valuable inherent-risk and maturity concepts, and quantify their exposure will emerge with stronger programs and smoother examinations. NOXMON's FFIEC-aligned assessment, powered by RISKMON, delivers exactly that: quantified risk, examiner-ready evidence, and continuous monitoring that keeps your institution prepared between exams.

Learn more about our FFIEC Cybersecurity Assessment and how we support financial services institutions, or reach out to discuss your transition plan.