By Raj Patel
The retirement of the CAT tool (Cybersecurity Assessment Tool) marks confusing new chapter in cybersecurity risk management for community banks. When NIST CSF 1.0 was introduced in 2014, its complexity made it challenging for smaller institutions to implement, and it didn’t fully address critical areas such as governance and third-party risks. To address these gaps, the FFIEC launched the Cybersecurity Assessment Tool (CAT) in June 2015, providing a more straightforward self-assessment approach that helped community banks identify risks and measure their cybersecurity preparedness.
Fast forward to August 2023, and the cybersecurity landscape has evolved. The release of NIST CSF 2.0 now offers a more comprehensive framework, addressing previously overlooked areas like governance and third-party risks. Over the past decade, community banks have significantly matured in their cybersecurity practices, prompting the FFIEC to conclude that they are now ready to transition to NIST CSF 2.0. As a result, the CAT tool will officially be retired, and community banks are encouraged to adopt the more robust NIST CSF 2.0 framework, with three primary options provided to guide this transition:
Cyber Risk Institute (CRI) Cyber Profile
CISA Cybersecurity Performance Goals
Center for Internet Security (CIS) Controls
The CRI and CISA tools are built upon the NIST CSF 2.0 framework. The Cyber Risk Institute (CRI) has already released its framework tailored for financial institutions, while CISA is expected to introduce its financial institution framework later in 2024. Despite these updates, both frameworks are still complex to implement, and community banks will likely need the support of cybersecurity professionals to guide them through this transition.
Alternatively, the Center for Internet Security (CIS) offers a simpler framework, but it may not fully meet all regulatory requirements. Designed primarily for small businesses, the CIS framework isn’t intended for organizations within critical infrastructure sectors, such as financial institutions. This is why most organizations in regulated industries continue to rely on NIST CSF, which offers a more comprehensive and compliance-driven approach to cybersecurity.
What Should Institutions Do?
Firstly, it’s important to recognize that your institution’s core cybersecurity program will not undergo drastic changes. For example, you won’t need to overhaul your password policies or implement entirely new technology solutions. The primary change will be a shift in your risk management and controls framework, which will now align with NIST CSF 2.0 control requirements. This transition will require significant effort in 2025, as your management and board will need to understand, adapt to, and implement the changes in the new framework. Think of it as remodeling your bank branch—your core operations remain the same, but there’s a refreshed structure and updated approach to how things are managed and monitored.
Secondly, community banks should take a cautious and strategic approach in 2024 by waiting for additional guidance and established industry best practices to emerge before fully committing to the transition. This period offers an excellent opportunity to strengthen and update your existing cybersecurity program. It’s essential to conduct a thorough review and enhancement of critical areas that may have been overlooked or become outdated over time.
For instance, many banks may have outdated policies, business continuity and disaster recovery plans, or cyber incident response plans that no longer reflect current threats or technologies. Updating these plans to ensure they are comprehensive, actionable, and relevant to today’s cyber risk environment is crucial. Additionally, banks should review their cybersecurity insurance policies to confirm they have adequate coverage aligned with the evolving threat landscape and regulatory requirements. By addressing these foundational aspects now, community banks will be in a much stronger position to transition to the NIST CSF 2.0 framework when the time is right.
Lastly, community banks should proactively plan and budget for a robust transition starting in January 2025. Delaying this process until later in the year could result in falling behind, with regulators and auditors potentially reporting to management and boards that their cybersecurity risk management and mitigation processes are inadequate. To avoid this, it’s vital to act early and leverage the expertise of cybersecurity experts to guide you through the transition, ensuring your institution is well-prepared, compliant, and ahead in managing cybersecurity risks.
About the Author
Raj Patel is a Partner with FinCyberTeck and has 27 years of experience in cybersecurity working with over 100 community banks and institutions.