The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic framework developed by the Federal Financial Institutions Examination Council (FFIEC) to help financial institutions in the United States identify their inherent cyber risk and evaluate their cybersecurity maturity across a standardized set of declarative statements. It replaces the 2015 version of the CAT and aligns with the FFIEC Information Technology Examination Handbook’s cybersecurity principles and practices. The tool is not a prescriptive regulation but a self-assessment that examiners use during IT and cybersecurity examinations to gauge an institution’s risk posture and preparedness against evolving threats, directly informing regulatory findings under frameworks such as the GLBA’s FTC Safeguards Rule and NYDFS 23 NYCRR Part 500.
Key Takeaways
- The FFIEC CAT is a voluntary assessment tool, not a regulation, but its results are routinely reviewed by federal and state examiners.
- It measures cybersecurity maturity in five domains: Cyber Risk Management, Cyber Risk Oversight, and three additional domains covering threat intelligence, controls, and resilience.
- The tool uses a “Declarative Statements” format, requiring institutions to select the maturity level that best describes their current state.
- Financial institutions must complete the CAT at least annually or upon significant changes to their risk profile or technology environment.
- The CAT is part of the broader FFIEC IT Examination Handbook, which includes booklets on cybersecurity, business continuity, and vendor management.
Core Components of the FFIEC CAT
The assessment is structured around two primary axes: Inherent Risk and Cybersecurity Maturity. Inherent Risk evaluates the institution’s digital footprint, technology complexity, and reliance on third parties. Cybersecurity Maturity measures how advanced the institution’s controls and processes are across five domains: Cyber Risk Management, Cyber Risk Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, and Resiliency. Each domain is broken into subcategories with declarative statements at five maturity levels (Baseline, Evolving, Intermediate, Advanced, and Innovative). The tool does not mandate a target maturity level—that decision rests with senior management and the board—but examiners expect that higher inherent risk correlates with proportionally higher maturity.
Who Must Use the FFIEC CAT?
The FFIEC CAT applies to any federally regulated financial institution in the United States, including national banks (OCC), state member banks (Federal Reserve), state non-member banks (FDIC), savings associations, and credit unions (NCUA). It also applies to bank holding companies and thrift holding companies. While the tool is formally “voluntary,” nearly every examiner expects completion of the CAT or an equivalent assessment during the IT examination cycle. Institutions subject to the Gramm-Leach-Bliley Act (GLBA) and the FTC’s Safeguards Rule are strongly encouraged by examiners and the FFIEC to use the CAT as their risk assessment methodology. In the USA, non-bank financial entities—such as mortgage brokers, payday lenders, and securities firms—are not directly covered by the FFIEC but may adopt the CAT voluntarily for best practices or to satisfy state-level requirements like the NYDFS Cybersecurity Regulation (23 NYCRR Part 500).
How the FFIEC CAT Is Used During Examinations
Examiners use the completed CAT as a starting point for discussions about cyber risk management. They review the institution’s inherent risk profile and maturity responses and challenge inconsistencies or gaps. For example, if an institution identifies high inherent risk in technology infrastructure but only Baseline maturity in cybersecurity controls, the examiner will likely require a remediation plan. The CAT results are captured in the exam reports, which may trigger enforcement actions—such as Memoranda of Understanding (MOUs) or Consent Orders—if deficiencies are material. The FFIEC does not publish a “pass/fail” threshold, but examiners look for a clear relationship between inherent risk and maturity, supported by evidence such as policies, risk assessments, incident response plans, and board reporting.
Differences Between the FFIEC CAT and NIST CSF
Many financial institutions also use the NIST Cybersecurity Framework (CSF) for broader cybersecurity risk management. The FFIEC CAT is narrower—it is explicitly designed for the financial services sector and maps directly to the FFIEC IT Examination Handbook. The NIST CSF is sector-agnostic and more flexible but less prescriptive for exam purposes. A key distinction is that the FFIEC CAT uses declarative statements with a forced maturity level, while the NIST CSF uses outcome-based tiers (Partial, Risk Informed, Repeatable, and Adaptive). Some institutions complete both assessments and map the results to satisfy both regulatory expectations and enterprise risk management requirements. The FFIEC has published mapping guidance to help institutions align the two frameworks where they overlap.
How to Prepare for an FFIEC CAT Examination
Preparation begins with a thorough understanding of your institution’s inherent risk profile, including its technology environment, third-party dependencies, and threat landscape. Next, complete the CAT in collaboration with stakeholders from IT, information security, risk management, compliance, and business lines. Do not let a single person fill out the tool alone—group input reduces bias. Review each declarative statement carefully and match it to actual practices, not aspirational goals. Once the CAT is complete, generate a gap analysis report that identifies domains where maturity is lower than expected given the inherent risk. Develop a remediation plan with owners, timelines, and status tracking. Board reporting on the CAT results and remediation progress should occur at least quarterly. Finally, keep evidence files updated for each declarative statement, as examiners will request supporting documentation during the examination.
Compliance Warning: Do not inflate your maturity levels. Examiners are trained to detect unrealistic self-assessments, and inflating maturity can lead to a higher scrutiny of controls and potential findings for unsubstantiated claims. Always back every declaration with documented policies, procedures, logs, and testing results.
Simplify Your FFIEC CAT Compliance with ThreatHawk SIEM + SOAR
Aligning your cybersecurity controls with the FFIEC CAT maturity levels requires continuous monitoring, automated evidence collection, and rapid incident response. CyberSilo’s ThreatHawk SIEM + SOAR platform provides the centralized logging, real-time threat detection, and automation workflows needed to support your FFIEC compliance posture. Built for financial institutions, ThreatHawk maps directly to FFIEC CAT declarative statements, generating actionable evidence for examiners.
Common Mistakes in FFIEC CAT Assessments
One frequent error is treating the CAT as a one-time exercise rather than a living document. Institutions that complete the tool only during exam prep often find their maturity levels outdated by the time the examiner arrives. Another mistake is failing to involve the board or senior management in the oversight domain—the examiner will look for explicit board reporting and risk appetite statements. Some institutions also misinterpret “declarative statements” as “yes/no” questions and choose a maturity level that sounds good rather than accurately reflecting their state. Finally, many institutions neglect the third-party connectivity inherent risk subcomponents, especially when they allow vendor remote access or cloud data storage without compensating controls. Accurate self-assessment requires honest evaluation of all risk factors, not just those easiest to quantify.
The Role of the FFIEC CAT in Board Oversight
The FFIEC expects boards of directors to understand and oversee cybersecurity risk management. The CAT provides a standardized language that translates technical risks into governance-level discussions. Boards should receive quarterly reports summarizing the institution’s inherent risk profile, current maturity levels, gaps identified, and progress on remediation. The board should formally approve the institution’s targeted maturity level, which should align with the board’s risk appetite. During examinations, the board is expected to demonstrate that it has reviewed and challenged the CAT results, not merely rubber-stamped them. Documentation of board discussions, minutes, and resolutions related to the CAT should be maintained for at least three years.
How Often Should the FFIEC CAT Be Updated?
The FFIEC recommends updating the CAT at least annually, but more frequent updates are advisable under certain conditions. Triggers that warrant an interim update include mergers and acquisitions, new technology deployments (e.g., cloud migration, mobile banking platforms), significant changes in threat landscape (e.g., discovery of critical vulnerabilities or active ransomware campaigns targeting peer institutions), changes in senior management or the board’s risk appetite, or regulatory changes such as new guidance or enforcement actions. Many institutions find it practical to align the CAT update cycle with their annual risk assessment or audit planning cycle. A quarterly review of changes in inherent risk is also considered a strong practice by examiners.
Integrating the FFIEC CAT with Other Compliance Frameworks
Financial institutions often need to comply with multiple overlapping frameworks, such as the GLBA Safeguards Rule, NYDFS 23 NYCRR 500, PCI DSS, and SOC 2. The FFIEC CAT can serve as a unifying assessment that feeds into these programs. For example, the CAT’s Cybersecurity Controls domain maps directly to GLBA requirements for data encryption, access controls, and incident response. Similarly, the Resiliency domain aligns with business continuity and disaster recovery expectations under NYDFS. Using the CAT as a baseline reduces duplication of effort and helps prioritize common gaps. CyberSilo’s Compliance Standards Automation solution can help manage these mappings, providing a single pane of glass for all regulatory obligations and evidence collection.
Automate Your FFIEC CAT Evidence Collection
Manually collecting evidence for each FFIEC CAT declarative statement is time-consuming and error-prone. CyberSilo’s Compliance Standards Automation automates evidence collection from your existing tools—SIEM, identity management, vulnerability scanners, and cloud platforms—and maps it directly to the CAT’s maturity levels. Reduce your compliance overhead and enter every examination with defensible, current evidence.
FFIEC CAT vs. NYDFS 500 vs. GLBA Safeguards
Understanding the interplay between these requirements is critical for US financial institutions. NYDFS 23 NYCRR Part 500 is a regulation with specific, prescriptive mandates—e.g., requiring a Cyber Incident Response Plan, a CISO to report to the board, and annual penetration testing. The GLBA Safeguards Rule (16 CFR Part 314) requires financial institutions to develop, implement, and maintain a comprehensive information security program. The FFIEC CAT is not a regulation but a tool to assess compliance with these regulations and the FFIEC handbook. An institution could have a fully compliant GLBA program but still receive an examiner finding if the CAT reveals a maturity gap that the board has not addressed. Conversely, the CAT may reveal that an institution is over-invested in certain controls while under-invested in others, providing a more balanced resource allocation. In practice, the three frameworks work together: the regulations set the legal floor, and the CAT helps institutions and examiners evaluate whether that floor is sufficient given the institution’s specific risk.
Preparing for an FFIEC Cybersecurity Examination
Beyond completing the CAT, examination preparation involves ensuring that all supporting documentation is organized and accessible. This includes policies, risk assessments, board resolutions, incident response logs, penetration testing reports, vulnerability management results, third-party risk assessments, and training records. Examiners will likely request evidence that supports each declarative statement the institution has selected. Use a centralized repository, preferably automated, to tag each piece of evidence to the relevant CAT statement. During the examination, be transparent about gaps and actively present remediation plans. Institutions that demonstrate proactive risk management and a clear path to improvement are generally treated more favorably than those that assert full compliance without evidence. CyberSilo’s US cybersecurity compliance services provide end-to-end support for CAT preparation, evidence collection, and exam readiness.
Our Conclusion & Recommendation
The FFIEC Cybersecurity Assessment Tool remains the cornerstone of IT examination readiness for US financial institutions. It provides a structured, defensible methodology for evaluating cyber risk and maturity that examiners trust and rely on. However, the tool’s effectiveness depends entirely on the honesty, accuracy, and currency of the self-assessment and the supporting evidence behind each declaration. Institutions that treat the CAT as a strategic governance tool—rather than a compliance checkbox—will find it drives real improvements in their cybersecurity posture and reduces the friction of regulatory examinations. CyberSilo helps financial institutions across the USA streamline their FFIEC compliance journey with automated evidence collection, continuous monitoring, and integrated SIEM + SOAR solutions that map directly to CAT declarative statements.
Protect your institution from examiner findings and cyber threats with a proactive, evidence-backed approach to the FFIEC CAT. Our experienced team can guide you from self-assessment to exam day with confidence and documentation that stands up to scrutiny.
Get a Compliance Assessment Today
Ready to align your cybersecurity program with FFIEC CAT expectations? Schedule a no-obligation discovery call with our compliance team. We’ll review your current maturity profile and help you build a roadmap to examination success.
