The CAT’s Not Coming Back: What comes next when the Cybersecurity Assessment Tool is retired, and how Cyera can help

Last year, the Federal Financial Institutions Examination Council (FFIEC) announced the retirement of their Cybersecurity Assessment Tool (CAT) on August 31, 2025. Unlike the cat from the beloved children' s song, this CAT is not coming back, and financial institutions that have relied on it for the last decade must plan for its replacement.

Background‍

The FFIEC introduced the CAT in 2015 as a tool to help financial institutions assess their cybersecurity risk profile and maturity. 

While not prescribing a specific framework to replace the CAT, the FFIEC has suggested other frameworks, particularly NIST CSF 2.0. This makes sense, as the CAT’s maturity levels were largely assessed by comparing organizations’ cybersecurity posture against NIST CSF 1.1 controls. With the release of version 2.0, it became clear the outdated CAT would either be updated or abandoned.

Nevertheless, while NIST CSF is often used for self assessment and maturity measurement, it’s not a risk assessment tool per se. Consequently, some industry analysts predict increased adoption of frameworks like the Cyber Risk Institute (CRI) Profiles. CRI Profiles assign financial institutions to one of four Tiers based on things like their size and interconnectedness with the global financial system. Tier 1 institutions pose the greatest systemic risk, while Tier 4 entities pose the least. 

The Profiles are based on NIST CSF 2.0, with additional controls tailored specifically for the financial sector, including governance controls for supply chains, independent risk management, and independent audits. Depending on their risk Tier, organizations will be subject to either all control categories and subcategories or a subset matched to their size, complexity, and critical importance to the financial sector.

The Profiles’ complexity may deter smaller organizations for whom the basic NIST CSF framework will likely suffice. However, their systemic risk-based approach mirrors that of the EU’s Digital Operational Resilience Act (DORA), which may further drive their broader adoption by larger entities as multinational financial institutions converge on a common set of cybersecurity standards and practices.

How Cyera Helps‍

Cyera provides comprehensive coverage for most of the NIST CSF 2.0 control framework, excelling in critical technical controls covering data security, risk management, access control, and continuous monitoring. Indeed, Cyera’s AI-native Data Security Platform effectively addresses all six of NIST CSF’s core functions.

• GOVERN: Cyera’s Data Risk Assessment service supports the development of a cybersecurity risk management strategy by mapping an organization’s attack surface and identifying and prioritizing significant data security risks. Through asset discovery and classification, Cyera also helps identify data owners and their responsibilities.

• IDENTIFY: Cyera automates data discovery and classification across cloud and on-premises environments, creating a real-time, accurate inventory of sensitive data assets, including the users, applications, platforms, and databases that handle or store sensitive data. Cyera also identifies data-related vulnerabilities like excessive permissions and unencrypted sensitive data.

• PROTECT: Cyera monitors and reviews access controls, discovers stale or ghost accounts, and can automatically mask unencrypted sensitive data such as credit card numbers, Social Security numbers, or other sensitive personal information.

• DETECT: Cyera continuously monitors organizations’ data security posture and access patterns, establishing baselines for normal data operations and monitoring for deviations. It also monitors third-party service provider activity related to sensitive data. 

• RESPOND: Cyera integrates with workflow tools to support automated remediation of data-related vulnerabilities. It also generates audit logs and reports on affected data and access patterns, and facilitates communication with stakeholders by providing detailed compliance and security reports. Furthermore, Cyera’s Breach Readiness service helps organizations develop more effective incident response and crisis communication plans.

• RECOVER: Cyera supports speedy recovery by identifying and prioritizing critical data assets and providing data insights to inform post-incident analysis. Through its partnership with backup provider Cohesity, Cyera helps organizations enhance operational resiliency by optimizing backup frequency based on data sensitivity and criticality.

In addition to the standard NIST CSF controls, the CRI Profiles contain several new control families specifically designed for the financial industry. These include:

• Independent Risk Management Function (GV.IR): Cyera can help suggest improvements to your organization’s risk management strategy. Its Data Risk Assessment service can help you identify gaps in your current data security posture and provide milestones and timelines for enhancing your data security maturity.

• Independent Audit Function (GV.AU): Cyera generates audit records and reports that can assist your organization in assessing compliance with internal and external controls. Moreover, Cyera’s Dataport and MCP Server allow you to query your Cyera data using natural language prompts, yielding quick and concise answers to questions like “which of my datastores contain credit card information in plain text?” 

The CRI Profiles also prescribe various control family expansions, primarily relating to third-party risk management:

• Third Party Contracts and Agreements (EX.CN), Procurement Planning and Due Diligence (EX.DD), Monitoring and Managing Suppliers (EX.MM), and Relationship Termination (EX.TR): Cyera can identify third-party users and services with access to your data, monitor their access patterns, and keep tabs on their use of contractually required security controls such as multifactor authentication. It also detects stale or ghost accounts that may persist after the third-party relationship has been terminated.

The CAT may not be coming back, but Cyera can help you establish a mature data security posture, regardless of your CRI Profile Tier. Learn more by requesting a demo at Cyera.com. 

‍

‍