Contact us

Cyber Risk Assessment - FFIEC Cybersecurity Assessment

Banks and credit unions are accountable to examiners for a sound, risk-based cybersecurity program. NOXMON delivers FFIEC-aligned assessments that meet examiner expectations through the FFIEC IT Examination Handbook and quantify your exposure in financial terms using RISKMON, our proprietary cyber risk quantification platform.

Examiner-Ready, Quantified, Continuous

The Federal Financial Institutions Examination Council (FFIEC) sets the expectations your federal and state examiners use to evaluate cybersecurity at banks, credit unions, and their service providers. Those expectations are detailed across the FFIEC IT Examination Handbook—covering information security, business continuity, management, and operations.

NOXMON assesses your institution against those expectations, identifies where controls fall short, and translates each gap into quantified financial exposure in RISKMON. The result is a prioritized, board-ready roadmap—and the same platform keeps monitoring your posture 24x7 between exams.

Our assessments are designed for institutions of every size, from single-charter community banks to multi-branch credit unions and the third-party providers who serve them. See how we support financial services organizations.

After the CAT: Mapping FFIEC Expectations to Modern Frameworks

For years, many institutions self-assessed using the FFIEC Cybersecurity Assessment Tool (CAT)—pairing an Inherent Risk Profile with a Cybersecurity Maturity model across five domains. The FFIEC retired the CAT effective August 31, 2025, and no longer maintains or supports it. The agencies now point institutions toward widely adopted standards such as the NIST Cybersecurity Framework (CSF) 2.0, the CISA Cybersecurity Performance Goals (CPGs), and the Cyber Risk Institute (CRI) Profile.

Importantly, the CAT's retirement does not change what examiners expect: a risk-based, well-governed cybersecurity program with evidence of effective controls. The underlying concepts—measuring inherent risk and demonstrating maturity—remain valuable inputs to any sound program. NOXMON delivers FFIEC-aligned assessments that map your environment to NIST CSF 2.0 and the CRI Profile while continuing to satisfy examiner expectations under the FFIEC IT Examination Handbook—so your institution transitions cleanly without losing the inherent-risk and maturity insight you relied on.

Risk Domains We Assess

Inherent Risk Profile

Characterize the risk your institution faces before controls are applied.

  • Technologies & Connection Types. Networks, third-party connections, and delivery channels in use
  • Products & Services. Online and mobile banking, payments, wires, and ACH exposure
  • Organizational Characteristics. Size, complexity, mergers, and external dependencies

Cybersecurity Maturity

Evaluate control maturity across the program—mapped to NIST CSF 2.0 functions and the CRI Profile.

  • Governance & Oversight. Board engagement, policies, and program management
  • Threat Intelligence & Detection. Monitoring, anomaly detection, and threat awareness
  • Controls & Resilience. Preventive controls, dependency management, and recovery

Examiner Readiness

Align documentation and evidence to FFIEC IT Examination Handbook expectations.

  • Information Security. Access management, data protection, and configuration controls
  • Business Continuity. Resilience, recovery objectives, and tested continuity plans
  • Third-Party Management. Vendor due diligence and oversight of service providers

How RISKMON Powers Your FFIEC Assessment

  • Financial Quantification. RISKMON uses FAIR-based modeling to express each gap as quantified financial exposure—so the board can prioritize spend with confidence.
  • Cross-Framework Mapping. A single set of control evidence maps to NIST CSF 2.0, the CRI Profile, CISA CPGs, and FFIEC examiner expectations at once.
  • Examiner-Ready Evidence. Findings, control evidence, and POA&M items are tracked to closure and exportable for examiners on demand.
  • Continuous Monitoring. RISKMON monitors your posture 24x7 between examinations, surfacing drift before it becomes a finding.

Assessment Deliverables

  • Inherent Risk Profile Report. A documented inherent-risk characterization across technologies, products, and organizational factors.
  • Maturity & Gap Analysis. Control maturity mapped to NIST CSF 2.0 and the CRI Profile, with prioritized gaps.
  • Quantified Risk Register. Each gap expressed as financial exposure in RISKMON to guide remediation investment.
  • Remediation Roadmap & POA&M. A risk-ranked plan with owners, evidence, and timelines tracked to closure.
  • Board & Examiner Reporting. Executive dashboards and examiner-ready evidence packages.
  • Continuous Monitoring Program. Ongoing 24x7 monitoring and reassessment between examination cycles.

"When the CAT was retired, our board worried we would lose the consistency examiners expected. NOXMON mapped us to NIST CSF 2.0 and the CRI Profile, and RISKMON put a dollar figure on every gap. Our last exam was the smoothest we've had in years."

— Information Security Officer, regional community bank

Tell us about your project

Schedule a ConsultationContact Us

Our offices

  • Houghton
    Houghton, MI 49931
    (212) 913-9184
    info@noxmon.com
  • New York City
    New York, NY 10011
    (212) 913-9184
    info@noxmon.com