The FFIEC CAT: A Cybersecurity Maturity Roadmap for Financial Institutions

For nearly a decade, the FFIEC Cybersecurity Assessment Tool gave banks and credit unions a shared vocabulary for measuring cyber maturity. The FFIEC has now retired it. The good news for financial institutions is that the discipline the CAT instilled does not retire with the tool. Z Cyber runs that discipline as a managed program, and migrates the underlying measurement to the frameworks examiners now expect.

Z Cyber is a cybersecurity operating partner for regulated financial institutions. We do not hand a bank a tool and a binder and wish it luck. We embed a dedicated forward-deployed security team, stand up the assessment on our AI-native GRC platform, Glance, and run the program continuously: scoring maturity, closing gaps, and producing examiner-ready evidence. The FFIEC Cybersecurity Assessment Tool, even in retirement, remains one of the cleanest maturity lenses ever published for banking. This guide explains what it measured, why it was sunset, and how to carry its value forward into the frameworks that replace it.

What the FFIEC CAT was, and why it mattered

The Federal Financial Institutions Examination Council released the Cybersecurity Assessment Tool in 2015 as a voluntary instrument to help financial institutions identify their cyber risk and measure their cybersecurity maturity. It was never a regulation in itself. It was a structured self-assessment that mapped cleanly to the NIST Cybersecurity Framework and to existing FFIEC IT Examination Handbook guidance, which is precisely why examiners across the member agencies grew comfortable seeing it in the field.

Its appeal was the structure. The CAT forced an institution to do two things in sequence: first, honestly rate how much inherent risk it carried, and second, measure whether its control maturity was proportionate to that risk. A small community bank with limited digital channels and a large regional institution offering mobile lending, wire origination, and dozens of third-party connections were not held to an identical bar. The tool let risk and maturity be read side by side, which is the entire point of a defensible cybersecurity program.

Part one: the Inherent Risk Profile

The first half of the CAT is the Inherent Risk Profile. It rates the risk an institution carries before any controls are applied, across five categories: technologies and connection types, delivery channels, online and mobile products and services, organizational characteristics, and external threats. Each category resolves to a level from Least through Minimal, Moderate, Significant, and Most.

The honest part is the hard part. An institution that has added APIs, embedded a fintech partner, opened wire origination to commercial clients, and grown through acquisition has materially raised its inherent risk, often without anyone formally recording it. The Inherent Risk Profile makes that drift visible. When Z Cyber onboards a financial institution, recomputing this profile against the real, current technology and partner footprint is one of the first things our team does, because a maturity score only means something relative to the risk it is meant to cover.

Part two: the five Cybersecurity Maturity domains

The second half measures Cybersecurity Maturity across five domains, each assessed through declarative statements at five maturity levels: Baseline, Evolving, Intermediate, Advanced, and Innovative. Baseline statements generally map to minimum regulatory expectations. Higher levels require an institution to attest, with evidence, that increasingly mature practices are in place and operating. The five domains are the durable contribution of the CAT, and they remain a sound way to organize a banking security program regardless of which framework you formally report against.

Maturity domain	What it measures	Where institutions commonly fall short
Cyber Risk Management and Oversight	Governance, strategy, board engagement, policies, and the cyber risk appetite.	Board reporting that is generic, and a risk appetite that is documented but never used to make decisions.
Threat Intelligence and Collaboration	Gathering, analyzing, and acting on threat intelligence, and sharing through bodies such as sector ISACs.	Intelligence is received but not operationalized into detection or control changes.
Cybersecurity Controls	Preventive, detective, and corrective controls: access, patching, configuration, and monitoring.	Controls exist on paper but lack the evidence to prove they operate continuously.
External Dependency Management	Oversight of third parties, vendors, and the connections that extend the institution's attack surface.	Vendor inventories are stale, and critical fourth-party dependencies are invisible.
Cyber Incident Management and Resilience	Detection, response, recovery, and the resilience of critical operations after an event.	Plans are written but rarely exercised, so recovery time is unknown until an incident proves it.

Read this table as a working agenda rather than a historical artifact. These five domains describe what a mature financial-services security program actually does, and they map cleanly onto the program Z Cyber operates inside Glance for our banking and credit-union clients.

The CAT has been retired

This is the part many institutions have not fully absorbed. The FFIEC announced that the Cybersecurity Assessment Tool would be sunset and stated that it would no longer be supported or maintained after August 31, 2025. The tool is no longer being kept current, and the FFIEC has pointed institutions toward other standardized tools and frameworks instead, naming the NIST Cybersecurity Framework, the Cyber Risk Institute (CRI) Profile, and the CISA Cybersecurity Performance Goals. You can read the FFIEC's position directly on ffiec.gov.

Retirement does not mean the underlying expectations vanished. The FFIEC IT Examination Handbook still governs examinations, and the supervisory interest in governance, controls, third-party oversight, and resilience is, if anything, intensifying. What changed is the measuring stick. Institutions that built their entire program narrative around the CAT now need a migration plan that preserves the work and re-expresses it in a framework the agencies will keep maintaining.

What replaces the FFIEC CAT

There is no single mandated successor, which is deliberate. The FFIEC pointed to a set of standardized frameworks and let institutions choose the fit. In practice, two paths dominate for banks and credit unions.

The first is the NIST Cybersecurity Framework, now at version 2.0, which adds a dedicated Govern function alongside Identify, Protect, Detect, Respond, and Recover. NIST CSF 2.0 is broad, well maintained, and widely understood by examiners, and it maps comfortably to the work institutions already did under the CAT. If you want to ground your program in a standard that will be supported for the long term, this is the natural anchor. Our NIST CSF 2.0 compliance checklist walks through each function in practical terms.

The second is the Cyber Risk Institute (CRI) Profile, which deserves attention because it was built specifically for the financial sector. The CRI Profile harmonizes a large set of regulatory expectations into a single diagnostic question set, so an institution answers once and maps to many obligations at the same time. For a bank tired of re-answering the same control questions for every regulator and every examiner, that consolidation is the entire value proposition. The CISA Cybersecurity Performance Goals round out the picture as a prioritized baseline of high-impact controls, useful as a floor rather than a complete program.

Financial institutions operating in New York carry an additional, hard regulatory obligation on top of whichever framework they adopt. The NYDFS Part 500 cybersecurity regulation is enforceable, not voluntary, and its amended requirements continue to phase in. If you fall under that regime, treat it as a parallel track and work through our NYDFS Part 500 compliance checklist alongside your framework migration.

How Z Cyber migrates you without losing the work

The migration risk is not technical. It is the temptation to treat the CAT's retirement as a reason to start over, throwing away years of accumulated maturity scoring and evidence. That is wasteful, because the five maturity domains and the inherent-risk discipline translate almost directly into NIST CSF 2.0 and the CRI Profile. The mappings are well understood.

Z Cyber's forward-deployed team runs the migration as a managed program inside Glance. We ingest your existing CAT responses, map each maturity statement to the corresponding NIST CSF 2.0 subcategory or CRI Profile diagnostic statement, and carry the evidence forward so nothing is reassessed from zero. Glance then maintains the crosswalk continuously, which means a single piece of control evidence can satisfy NIST, the CRI Profile, NYDFS Part 500, and your examiners at once, rather than being re-collected for each. Because Z Cyber operates the program rather than selling you software, your team is not left to keep the mappings current as frameworks evolve. We do that.

What examiners actually want to see now

Strip away the framework debate and the supervisory expectation is consistent. Examiners want evidence that you understand your inherent risk, that your controls are proportionate to it, that third-party and resilience risks are managed rather than assumed, and that your board is genuinely engaged. The CAT was one way to demonstrate that. NIST CSF 2.0 and the CRI Profile are the maintained ways to demonstrate it now. The substance has not moved.

What separates institutions that pass examinations cleanly from those that scramble is not which framework they picked. It is whether the program runs continuously, with current evidence, or whether it is reconstructed in a panic before each exam. That continuous operation is exactly what Z Cyber exists to provide for financial-services clients. If you want to see how that works for an institution like yours, start with our financial services practice.