Cybersecurity is evolving faster than many community banks and credit unions can keep pace with. With the retirement of the FFIEC Cybersecurity Assessment Tool (CAT) on August 31, 2025, financial institutions are left wondering how best to measure, track, and manage cyber risk without a regulator-endorsed standard. In this episode of the Banking on Data podcast, host Ed Vincent sits down with Cathy Jackson to unpack what comes next for institutions in this post-CAT world.
Together, they explore how banks can leverage the Cyber Risk Institute’s Profile 2.1, why the seven functional areas of cyber risk matter, and how moving beyond spreadsheets to an integrated risk suite can give leaders a holistic, regulator-ready view of their risk posture.
The Sunset of the FFIEC CAT Tool
The FFIEC Cybersecurity Assessment Tool (CAT) provided a regulator-supported framework for assessing cyber resilience across the financial industry for years. But as of August 31, 2025, the CAT has been fully sunset. It is no longer maintained, endorsed, or available for download from FFIEC’s website. This leaves financial institutions without a single, regulator-backed option for cybersecurity self-assessment. Instead, FFIEC has directed banks and credit unions toward updated resources such as NIST Cybersecurity Framework 2.0, CISA’s Cybersecurity Performance Goals, and the CRI Cyber Profile. You can read the official announcement and guidance directly from the FFIEC website.
For community banks and credit unions, the CAT’s retirement is a turning point. Institutions must now take greater ownership of their cyber risk posture, selecting frameworks that not only align with regulators but also fit their strategy and operations.
Enter the Cyber Risk Institute and The CRI Profile 2.1
The Cyber Risk Institute (CRI) developed Profile 2.1, an interpretation of the NIST Cybersecurity Framework tailored to financial services. Already recognized across the industry, the CRI Profile 2.1 is becoming the logical successor for institutions that relied on CAT. Lumio partnered with CRI to embed Profile 2.1 into the Lumio Risk Suite, allowing community financial institutions to integrate cyber assessments into enterprise risk management (ERM). This provides not only a replacement for CAT but also a more comprehensive, modernized approach to cyber risk.
The Seven Functional Areas of Cyber Risk
When institutions conduct a CRI Profile assessment, results are organized into seven functional areas that together form a roadmap for cyber resilience:
- Govern – Oversight, accountability, and board-level policies for cybersecurity
- Identify – Awareness of threats, vulnerabilities, and exposures across the institution
- Protect – Safeguards and controls, spanning technical defenses, administrative measures, and staff training
- Detect – Monitoring and anomaly detection to spot suspicious activity or cyber events quickly
- Respond – Incident response and mitigation strategies, including communications and containment of damage
- Recover – Restoration of systems and services after an incident to ensure continuity of operations
- Extend – A CRI-specific addition addressing third-party dependencies and supply chain risk management—an area increasingly critical for banks and credit unions
“We’ve called out supply chain and third-party risk for years, and I’m really pleased to see it included in the CRI tool. It’s often a forgotten aspect of cybersecurity, but it’s critical to resilience.” - Cathy Jackson
These functional areas help institutions not just quantify risk, but evaluate the quality of their risk management controls. Cathy recommends housing them under operational risk within enterprise frameworks but provides the flexibility to align them where they make the most sense institutionally.
Benchmarks and Regulator Readiness
Simply scoring against these areas is not enough. Benchmarks are essential to contextualize results. Lumio provides research-backed guidance in partnership with CRI, but institutions must customize benchmarks to their own environment. Regulators expect defensible, institution-specific reasoning, not generic vendor scores.
The seven functional areas serve as the foundation for this, ensuring that cyber risk measurement connects directly to regulatory expectations and the broader enterprise risk picture.
“Looking at cyber risk holistically is the core principle of enterprise risk management. You can do the deep dive into cybersecurity, but then you must evaluate it in the context of your overall risk program and profile.” - Ed Vincent
Moving Beyond Excel
Many institutions still use Excel to track cyber risks. While that’s a practical first step, spreadsheets are limited:
- They silo data and lack enterprise-wide visibility.
- They fail to capture qualitative insights like judgment and commentary.
- They don’t aggregate results into a holistic risk picture.
“Spreadsheets have their place. This tool is in a spreadsheet, but it’s just assessing in the spreadsheet—it’s not drawing conclusions. To really have a true understanding of risk at an institution, you have to bring it all together and put it in context, first within the area, and then across the overall picture.” - Cathy Jackson
A modern risk platform enables better decision-making, visibility, and regulatory readiness. By moving beyond Excel into solutions like Lumio, institutions can democratize insights, link risk to metrics, and build confidence ahead of regulatory reviews.
A Playbook for the Post-CAT World
With the retirement of the FFIEC CAT tool, financial institutions are navigating a new landscape. The absence of a regulator-endorsed standard has left banks and credit unions searching for the best way to measure, track, and manage cyber risk going forward.
The good news: frameworks like the Cyber Risk Institute’s Profile 2.1 provide a strong, NIST-aligned replacement. By embedding these assessments into enterprise risk management and focusing on the seven functional areas: Govern, Identify, Protect, Detect, Respond, Recover, and Extend - institutions can build resilience, satisfy regulators, and strengthen trust. Excel may be a starting point, but it’s not the destination. True enterprise visibility and smarter decision-making come from integrated platforms that connect cyber risk to the bigger picture.
As Ed summarized in this episode, here is a practical playbook for CFIs looking to move forward:
- Complete a diagnostic using the CRI Profile 2.1 or preferred option
- Integrate the results into your enterprise risk management (ERM) program - whether under operational risk or a dedicated cyber category
- Track performance across the seven functional areas
- Benchmark outcomes against relevant, defensible measures
- Build a roadmap that defines today’s posture, tomorrow’s goals, and the journey to get there
To dive deeper, listen to the full conversation on the Banking on Data podcast, or explore how Lumio’s Risk Suite can help your institution put these principles into practice.
Emphasize your product's unique features or benefits to differentiate it from competitors
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
- Pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus.
- Justo urna nisi auctor consequat consectetur dolor lectus blandit.
- Eget egestas volutpat lacinia vestibulum vitae mattis hendrerit.
- Ornare elit odio tellus orci bibendum dictum id sem congue enim amet diam.
Incorporate statistics or specific numbers to highlight the effectiveness or popularity of your offering
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Use time-sensitive language to encourage immediate action, such as "Limited Time Offer
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
- Pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus.
- Justo urna nisi auctor consequat consectetur dolor lectus blandit.
- Eget egestas volutpat lacinia vestibulum vitae mattis hendrerit.
- Ornare elit odio tellus orci bibendum dictum id sem congue enim amet diam.
Address customer pain points directly by showing how your product solves their problems
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Tailor titles to your ideal customer segment using phrases like "Designed for Busy Professionals
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.
