With the upcoming sunset of the Cybersecurity Assessment Toolkit (CAT) slated for August, many financial institutions are left wondering: What now? For over a decade, CAT has been the backbone of cybersecurity risk assessments in the banking industry. As we move forward, regulators have outlined four alternative frameworks institutions can leverage to ensure continued cybersecurity compliance and risk management.
In this post, we’ll explore these four options, weigh their pros and cons, and offer guidance to help you chart a strategic path in this transitional time.
Option 1: NIST Cybersecurity Framework (CSF) 2.0
The National Institute of Standards and Technology (NIST) released its updated Cybersecurity Framework (CSF 2.0) at the end of last year. NIST has long been a trusted name in cybersecurity, especially within critical infrastructure sectors, and its framework continues to offer comprehensive guidance.
What’s New:
CSF 2.0 adds a sixth key function: Govern, joining the well-known pillars of Identify, Protect, Detect, Respond, and Recover. This new function focuses on strengthening governance processes, which is a welcome addition for institutions seeking to bolster their oversight.
Pros:
- Widely adopted across multiple industries
- Supported by the Department of Homeland Security
- Highly detailed with strong governance elements
Cons:
- Complex to implement, especially for smaller or less-resourced institutions
- Lacks a built-in risk vs. controls model like CAT
- Less prescriptive—requires interpretation and customization
Best For:
Organizations with mature cybersecurity programs or those seeking a comprehensive and scalable framework.
Option 2: Cyber Risk Institute (CRI) Profile
The CRI Profile is a bank-specific adaptation of the NIST framework, tailored to the financial industry. This alignment is a significant advantage for community banks and credit unions.
Pros:
- Tailored specifically for financial institutions
- Maps to NIST and provides guidance on relevant controls
- Easier transition for institutions already familiar with CAT
Cons:
- The inherent risk profile is less robust than CAT’s
- Many community banks are automatically slotted into higher risk levels due to how questions are structured
- Doesn’t account for certain modern risk factors (e.g., Banking as a Service or fintech innovation)
Best For:
Institutions looking for a familiar, industry-specific alternative to CAT with a direct connection to NIST standards.
Option 3: Center for Internet Security (CIS) Controls
CIS offers a highly practical, control-based framework. It’s designed with ease of use in mind, particularly for small to mid-sized businesses, making it an accessible choice for many banks.
Pros:
- Straightforward implementation
- Great for working with managed service providers or internal IT teams
- Offers a clear view of implemented vs. missing controls
Cons:
- Originally structured around implementation groups (1–3), which don’t translate well to banking environments
- Lacks inherent risk profiling out-of-the-box
- May need customization to suit financial institutions’ specific needs
Best For:
Smaller institutions or those prioritizing ease of implementation and quick wins.
Option 4: CISA Financial Services-Specific Framework (Coming 2025)
The Cybersecurity and Infrastructure Security Agency (CISA) is actively developing a framework specifically for financial services, expected to be released in late 2025.
Pros (Anticipated):
- Purpose-built for financial institutions
- Backed by a federal agency with deep cybersecurity expertise
Cons:
- Not available yet
- Leaves a temporary gap between CAT’s sunset and its release
Best For:
Those willing to wait and monitor for developments while temporarily adopting one of the other three options.
How do you choose a framework?
Unfortunately, there’s no one-size-fits-all answer. Each framework has its strengths and challenges. The key lies in evaluating your institution’s current cybersecurity maturity, available resources, and risk appetite.
At Finosec, we see this sunset as an opportunity, not a setback. By keeping your current inherent risk profile intact and layering in the easy-to-implement controls from CIS, you can begin to modernize your cybersecurity approach while laying the groundwork for future expansion into frameworks like NIST or CRI.
Because this change presents are rare industry moment to marry change with innovation, we’re hosting a “Sunset of the CAT” webinar. Not only will we go through these frameworks in more detail, we will also discuss how Finosec is leveraging this opportunity to create a scalable, simplified and robust option suited specifically for community banks. Join us at our next event in the series. All registrants will receive resources to help further weight their options and easily understand the differences between framework options to help guide conversations within their organization.
