The FFIEC’s decision to retire a tool that most US. financial institutions use to identify their cyber risks – the Cybersecurity Assessment Tool (CAT) - means banks will soon need to transition to more up-to-date, industry-specific tools that do a better job addressing today’s cybersecurity risks and regulatory expectations.
Before the CAT sunsets on August 31, 2025, banks can turn to several standardized resources, including the:
- Cyber Risk Institute’s (CRI) Cyber Profile
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0
- Center for Internet Security (CIS) Critical Security Controls
- Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals
Click here for a deeper look at each standard.
While the FFIEC does not endorse any specific tool, many financial institutions have started adopting the Cyber Risk Institute’s (CRI) Cyber Profile 2.0. The shift is a response to how cybersecurity risk management and regulatory expectations have evolved.
The Advantages of the CRI Profile
The CRI Profile is designed to be more practical, more flexible, and better aligned with today’s complex regulatory landscape. The CRI Cyber Profile 2.0 offers a more effective and future-ready path for managing cybersecurity risks — and meeting regulatory expectations without unnecessary complexity.
Unlike the FFIEC CAT, which hasn’t changed much since it was first released in 2015, the CRI Profile is regularly updated to reflect new threats, technologies, and regulatory changes. It was developed by the financial sector, in close coordination with regulators, which means it strikes a good balance between operational needs and compliance obligations.
That collaboration also means the framework reflects what regulators expect — not just what they’ve published in guidance.
One of the biggest strengths of the CRI Profile is that it doesn’t exist in silo. It’s mapped to a wide range of standards and regulations, including the NIST Cybersecurity Framework, NIST SP 800-53, ISO/IEC 27001, and global financial sector expectations such as those from the Basel Committee.
This makes it easier for institutions to meet multiple regulatory requirements without duplicating effort. In practice, this also means less time spent managing different frameworks and more time focusing on actual risk.
Figure 2: The CIA Triad of Data Security (Image from NIST SP1800-26)
A Scalable Standard
Another practical advantage is scalability. The CRI Profile is designed to be risk-based, which means it can be scaled up or down depending on the size and complexity of your institution. Smaller banks can adopt a lighter version, while larger institutions can dig into a more detailed profile.
This kind of flexibility is something FFIEC CATS doesn’t offer, and it’s particularly useful for financial institutions with operations in multiple jurisdictions.
Governance is also a key benefit. CRI Profile provides better reporting and decision-making at the executive and board level. It presents cybersecurity posture and maturity in a way that is easier for senior leadership to understand — something many CISOs struggle with when using more technical frameworks. It turns cybersecurity into a business conversation, not just a compliance checkbox.
For institutions operating globally or dealing with multiple regulators, the CRI Profile is especially valuable. It supports alignment with the SEC’s new cyber disclosure rules, the EU’s Digital Operational Resilience Act (DORA), the UK’s PRA/FCA expectations, and more.
The result is a single, integrated approach to cybersecurity risk management that works across borders and regulatory regimes.
Industry support for the CRI Profile is growing. It's backed by key trade associations such as the Bank Policy Institute, SIFMA, and the American Bankers Association. Many large banks and insurers have already adopted it as their primary framework. It’s not hard to see why: it’s more modern, more aligned with how businesses operate, and better suited to the demands of both today and tomorrow.
CRI Cyber Profile 2.0 vs. FFIEC CAT Comparison
Here’s a summary of how the CRI Profile differs from the FFIEC CAT:
Practical Steps to Transition to CRI Cyber Profile 2.0
Switching from the FFIEC CAT to the CRI Cyber Profile 2.0 isn’t just a matter of swapping out one framework for another, it’s a strategic shift. The CRI Profile is more comprehensive, more flexible, and better aligned with today’s cybersecurity risks and regulatory pressures. But to get the full benefit, the transition needs to be planned and phased thoughtfully. Here is some guidance on how to make the change:
1. Assess Where You Stand
Start by reviewing your current cybersecurity program through the lens of the CRI Profile. This isn’t just a checklist exercise — it’s about understanding how well your current controls align with today’s expectations.
Use CRI’s diagnostic structure to identify critical gaps, overlaps, and areas where your program may be out of sync with evolving threats or compliance requirements. This baseline will help you prioritize the next steps and allocate resources where they matter most.
2. Take a Phased Approach
Rolling out the CRI Profile across your organization all at once can be overwhelming — not to mention disruptive. Instead, consider a phased implementation. Start with areas that carry the highest risk or that are under the most regulatory scrutiny, such as third-party risk management, incident response, or business continuity. These are often good pilot areas because they already have strong oversight and cross-functional involvement, which makes it easier to integrate new practices.
3. Align With Your Annual Planning Cycle
Rather than treating CRI as a standalone initiative, weave it into your existing planning and review cycles. Schedule CRI-based assessments during your organization’s regular cybersecurity reviews, IT governance meetings, or internal audit planning. This helps normalize the process, reduces duplication, and gives leadership a clear, predictable view of cybersecurity posture over time.
4. Use the Right Tools to Support the Transition
You don’t have to do this manually. There are tools out there — such as those from Axio, Tandem, and the American Bankers Association — that are designed to support CRI implementation. They can help automate the mapping of your existing controls to the CRI Profile, collect evidence, track maturity, and generate reporting that’s ready for regulators or the board. These platforms can significantly reduce the operational burden and improve the consistency of your assessments.
Making the Move from FFIEC to CRI
The retirement of the FFIEC Cybersecurity Assessment Tool marks more than just the end of a framework, it signals a broader shift in how financial institutions are expected to approach cyber risk management. This presents a real opportunity to step back, reassess, and elevate their cybersecurity programs to meet modern demands.
The CRI Cyber Profile 2.0 is one of many options, but it isn’t just a plug-and-play replacement for FFIEC CAT — it’s a thoughtful, forward-looking framework designed to help financial institutions align their cybersecurity practices with both emerging threats and an increasingly complex regulatory environment. It provides a structured, scalable approach that not only addresses today’s risk landscape but is built to evolve alongside it.
Beginning the transition to CRI Cyber Profile 2.0 allows teams to plan carefully, integrate the CRI Profile into existing risk and compliance structures, and avoid last-minute scrambles to meet audit or regulatory expectations. Leveraging the guidance and resources offered by the Cyber Risk Institute — as well as trusted implementation partners — can make the transition smoother and more impactful.
While adopting the CRI Profile is not mandatory, it is quickly becoming a standard for institutions that want a smarter, more operationally efficient, and business-aligned way to manage cybersecurity. It simplifies complexity, reduces overlap, and provides clearer insight into how well your controls are protecting the organization. Transitioning to the CRI Cyber Profile 2.0 is more than a compliance exercise — it’s a strategic investment in resilience, governance, and long-term cyber maturity.
Source: Cyber Risk Institute
ERMProtect Is Ready To Transition You To CRI Cyber Profile 2.0
ERMProtect can play a valuable role in helping financial institutions make a smooth and effective transition from the FFIEC Cybersecurity Assessment Tool to the CRI Cyber Profile 2.0 or any of the other designated standards. With experience in both cybersecurity strategy and regulatory compliance, our professionals offer practical support at every stage of the process.
This includes conducting a detailed gap analysis to assess where current controls may fall short, guiding the development of a phased rollout plan to avoid disruption, and helping teams integrate the new framework into existing risk, audit, and compliance processes.
ERMProtect also can assist with selecting the right tools to automate assessments and reporting, and help institutions prepare for regulatory reviews by aligning documentation with what auditors and supervisors typically look for. The company also provides tailored training to ensure everyone — from IT teams to board members — understands how to use the CRI Profile effectively.
For free guidance on transitioning your financial institution to one of the relevant standards, please contact Silka Gonzalez at [email protected] or call 305-445-6750. For 27 years, ERMProtect has specialized in performing risk assessments for financial institutions in the U.S. and abroad.
Why Some Financial Institutions Are Transitioning from FFIEC CAT to the CRI Cyber Profile 2.0
GLBA Risk Assessments: A Key 1st Step in GLBA Compliance