Transitioning from the CAT Tool to the CRI Profile

To properly understand and mitigate rapidly evolving cybersecurity threats and risks, financial institutions must constantly review their practices and controls to adapt. To help assess their cybersecurity posture, financial institutions rely on risk management tools and vetted frameworks — such as the FFIEC’s Cybersecurity Assessment Tool (CAT) — to stay one step ahead.

Faced with increasing complexities, the Federal Financial Institutions Examination Council (FFIEC) announced in August of 2024 the retirement of its widely adopted (CAT) framework on August 31, 2025. With the cybersecurity landscape rapidly changing, the retirement of CAT leaves financial institutions in need of a replacement to ensure compliance with financial services regulations.

What is the Cybersecurity Assessment Tool (CAT)?

First released in 2015, CAT was designed to provide a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness.

The assessment is performed in two parts.  The first part enables a financial institution to determine its risk profile (least inherent risk, minimal inherent risk, moderate inherent risk, significant inherent risk, and most inherent risk) based on five categories:

1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
4. Organizational Characteristics
5. External Threats

Once the financial institution determines its risk profile, it can then evaluate its maturity level (ranging from baseline to innovative) for five domains:

1. Cyber Risk Management and Oversight
2. Threat Intelligence and Collaboration
3. Cybersecurity Controls
4. External Dependency Management
5. Cyber Incident Management and Resilience

Based on their risk profile and maturity levels, the financial institution can decide to take steps to lower the risk levels, increase the maturity levels, or simply monitor the inherent risks.

Importance of Adopting a Modern Cybersecurity Framework

Cyberattacks and crimes can create multiple impacts on any organization resulting in operational, reputational, and financial implications. According to a report by Statistica, worldwide cybercrime is expected to cost 10.5 trillion dollars annually in 2025, with costs only expected to go up in future years.

Due to these potentially large impacts, cybersecurity needs to be an enterprise-wide program, directly supported by the most senior-level managers, as it will encompass several areas of the business, including information technology, risk management, and finance.

Adopting a modern cybersecurity framework provides a structured approach to managing cybersecurity risks with proper controls and processes.

If your organization has already adopted the CAT, you are aware of its importance and necessity. With the impending retirement of CAT in August of this year, the FFIEC in its announcement letter has recommended that “Supervised financial institutions may also consider the use of industry-developed resources, such as the Cyber Risk Institute’s (CRI) Cyber Profile..."

Compliance Risk Index (CRI) Profile

The Compliance Risk Index (CRI) Profile is a cybersecurity framework developed by the Cyber Risk Institute for the financial sector. It is based on globally recognized standards, such as the NIST Cybersecurity Framework (CSF), and the International Organization of Securities Commissions (IOSCO) frameworks.

The CRI Profile enhances the visibility of existing cybersecurity risks and then provides a structured approach for documenting and managing these risks. Additionally, when these managed risks and mitigation activities are aligned with the business strategy, it contributes toward meeting organizational goals.

Because the CRI Profile consolidates various cybersecurity frameworks, the cost of compliance goes down as reducing inherent risks or raising the organization’s maturity in a CRI Profile domain would satisfy other standards as well, demonstrating compliance across multiple audits.

Technology’s Role

Tools like AI have already made significant inroads into cybersecurity protection through threat detection, threat response, and mitigating vulnerabilities. When it comes to compliance, AI tools can help compliance practitioners streamline some of their tasks and activities:

• Change detection – As laws and regulations frequently change, AI tools can assist by detecting changes and revisions that people may miss--which can lead to assessment errors.
• Task automation – AI can automate certain routine tasks such as suggesting/writing controls, mapping controls, and ingesting data. This improves both accuracy and efficiency.

Although leveraging AI to assist human practitioners now provides an advantage, it will soon become a necessity. 

Vistrada’s Value

As the retirement date for the Cybersecurity Assessment Tool (CAT) draws closer, the potential implications of not properly planning and transitioning to a new framework such as the CRI Profile grow larger, hence the importance now of considering partnering with an experienced compliance and risk management professional.

Vistrada can help your financial institution transition from the expiring CAT standard to the new CRI Profile seamlessly and effectively. Our approach consists of four streamlined phases:

1. Discovery & Planning - Reviewing current security documentation and establishing project timelines.
2. Assessment & Gap Analysis - Evaluating your current state against over 300 CRI controls.
3. Remediation Planning - Developing a detailed roadmap for addressing identified gaps.
4. Documentation & Reporting - Preparing comprehensive reports and attestation materials.

Contact Vistrada to properly transition to the CRI Profile and for assistance in adopting other regulatory compliance solutions.