The FFIEC Cybersecurity Assessment Tool has been retired. Here is what community banks and credit unions should anchor their information security programs to instead, and what examiners expect.
For nearly a decade, the FFIEC Cybersecurity Assessment Tool was the default self-assessment instrument for community banks and credit unions: fill in the inherent risk profile, map your maturity, hand the workbook to the examiner. The FFIEC retired the CAT effective August 31, 2025, and did not issue a replacement. For institutions that had built their entire assessment cadence around it, the retirement raised an uncomfortable question: assess against what?
What did not change
The obligations underneath the CAT are fully intact. The Gramm-Leach-Bliley Act and the implementing safeguards expectations still require a comprehensive written information security program, board oversight, a designated responsible individual, risk assessments, control implementation, service provider oversight, incident response capability, and ongoing monitoring and adjustment. The FFIEC IT Examination Handbook still governs how examiners evaluate all of it. The CAT was never the requirement; it was one lens on the requirement, and the requirement outlived the lens.
What to anchor to instead
The FFIEC pointed institutions toward established industry frameworks, and in practice the field has consolidated around a few defensible choices. The NIST Cybersecurity Framework 2.0 offers the broadest and most examiner-recognized structure, organizing the program around six functions from governance through recovery. The CIS Critical Security Controls offer a more prescriptive, implementation-ordered alternative that smaller institutions often find easier to operationalize. The Cyber Risk Institute’s Profile, built specifically for financial institutions as a harmonization of NIST and regulatory expectations, has become the sector-specific option many mid-size institutions adopt. There is no wrong answer among them; there is only the wrong move of choosing none and letting the assessment cadence lapse.
What examiners actually look for now
- A deliberate transition, documented. If your last CAT was the final one, the file should show what replaced it, why that framework was chosen, and how prior findings carried forward. A gap in the assessment record is itself a finding.
- A risk assessment that drives decisions. Examiners increasingly test whether the risk assessment connects to the budget, the project list, and board reporting, or whether it is an annual document produced for the exam.
- Board-level engagement with substance. Minutes that show the board received a security update are weaker than minutes showing the board discussed the top risks, questioned management, and approved a plan.
- Third-party risk with teeth. Core processors, managed IT providers, and fintech partners concentrate enormous risk. Expect scrutiny of due diligence, contract provisions, and ongoing monitoring, not just a vendor list.
- Tested incident response. A plan plus evidence of testing, including how the institution would meet its notification obligations, has moved from good practice to baseline expectation.
The community institution advantage
Smaller institutions often read framework transitions as burden, but the honest advantage runs the other way: a community bank or credit union can stand up a coherent, framework-aligned program faster than a large institution can turn its committee structure. The work is choosing the framework deliberately, mapping the existing program to it once, and letting the gaps drive a prioritized plan. Done that way, the CAT’s retirement becomes the moment the program stopped being a workbook and started being a program.
Daytol builds and refreshes information security programs for community banks and credit unions, with practitioners who bring financial institution audit backgrounds to the examiner’s side of the table. If your assessment framework question is still open, it should be closed before your next exam cycle.