FFIEC Cybersecurity Assessment
Frequently Asked Questions
Answers for compliance officers, GCs, and CISOs at banks, credit unions, and other FFIEC-supervised financial institutions about Law & Forensics' cybersecurity assessment practice — including transition guidance from the legacy CAT to NIST CSF 2.0. Contact us for a confidential consultation.
FFIEC Cybersecurity Assessment
What FFIEC examiners now expect, how the sunset of the Cybersecurity Assessment Tool (CAT) changes the playbook, and how an FFIEC assessment integrates with NY DFS, GLBA, and SOC 2 obligations.
What is an FFIEC cybersecurity assessment?
An FFIEC cybersecurity assessment is a structured evaluation of a financial institution's inherent risk and cybersecurity maturity, aligned with examiner expectations under the FFIEC IT Examination Handbook.
The legacy Cybersecurity Assessment Tool (CAT) measured Inherent Risk across five categories and Cybersecurity Maturity across five domains. The FFIEC announced the CAT will sunset on August 31, 2025, with examiners migrating toward NIST CSF 2.0, the CRI Profile, and the CISA CPGs as accepted equivalents.
The FFIEC CAT is sunsetting in 2025 — what should we use instead?
The FFIEC has indicated that NIST CSF 2.0, the Cyber Risk Institute (CRI) Profile, and the CISA Cybersecurity Performance Goals are appropriate replacements.
For most community and mid-size banks, the CRI Profile (a financial-sector tailoring of NIST CSF) is the most direct CAT replacement. We help institutions transition assessment artifacts, maturity scoring, and board reporting from the CAT format into a CRI- or CSF-aligned program with continuity of evidence.
What does Law & Forensics' FFIEC cybersecurity assessment cover?
The full scope of the FFIEC IT Examination Handbook — Information Security, Business Continuity Management, Outsourcing Technology Services, Operations, Audit, and Management.
We assess inherent risk drivers (technology footprint, delivery channels, online/mobile products, external connections, organizational characteristics, threats), cybersecurity controls maturity, third-party risk, and incident response. The deliverable maps to either the CAT (if your examiner still expects it) or the CRI Profile / NIST CSF 2.0.
What are the FFIEC cybersecurity incident notification requirements?
The Computer-Security Incident Notification Rule (12 CFR Parts 53, 225, and 304) requires notification to the primary federal regulator "as soon as possible and no later than 36 hours" after determining a notification incident has occurred.
The 36-hour clock is among the shortest in U.S. financial regulation. Bank service providers are separately required to notify their bank customers as soon as possible after determining an incident has caused or is reasonably likely to cause four or more hours of disruption.
How does FFIEC guidance treat third-party and cloud service providers?
The 2023 Interagency Guidance on Third-Party Relationships sets out a full lifecycle approach — planning, due diligence, contract negotiation, ongoing monitoring, and termination.
For cloud, the FFIEC's Joint Statement on Cloud Computing emphasizes shared responsibility, data classification, encryption, access management, and contingency planning. Our vendor due diligence service is calibrated to FFIEC examiner expectations.
How does an FFIEC assessment support board oversight?
FFIEC examiners expect documented evidence that the board reviews and approves the cybersecurity program, the risk assessment, and the strategic direction of the security function.
We deliver a board-ready executive summary, a maturity heatmap, a peer-benchmark view, and minutes-ready talking points. See our board-level cybersecurity services for ongoing director education and program oversight support.