S3 | E18: Cyber Risk in Focus: Evolving Threats and the Sunset of the CAT Tool

The cybersecurity landscape is changing fast. And for financial institutions, one of the biggest shifts on the horizon is the sunsetting of the FFIEC Cybersecurity Assessment Tool (CAT) in August 2025. In this episode of the Risk Intel podcast, Josh Magri, President and CEO of the Cyber Risk Institute (CRI), joined host Edward Vincent to unpack what this means for banks, credit unions, and other financial players.

From emerging threats powered by AI to the evolving regulatory frameworks shaping cybersecurity governance, Josh's insights are a must-hear. Listen to the full epsiode or read the highlights below.

Who Is Josh Magri and the Cyber Risk Institute?

Josh brings deep interdisciplinary expertise to the world of cyber risk. He began his career as a prosecutor after earning a law degree from Boston College Law School, but soon transitioned into cybersecurity policy. He worked at the Internet Security Alliance, helping shape national frameworks such as the NIST Cybersecurity Framework. He later served as Regulatory Counsel at BITS (part of the Bank Policy Institute), focusing on financial cyber regulation and leading the development of the NACD Cyber Risk Oversight Guidance. Today, as CEO of the Cyber Risk Institute, Josh is a national leader in advancing standardized, risk-based cybersecurity approaches for financial institutions.

The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations, working to protect the global economy by enhancing cybersecurity and resiliency through standardization. Their mission is to sharpen cybersecurity to protect the global economy, by creating (and updating) a common framework for cyber security and resilience assessment. Learn more at: cyberriskinstitute.org

The Threat Landscape Is Escalating... Fast!

Beyond regulatory shifts, this episode delved into how AI is supercharging cyber threats. Financial institutions must now contend with:

• Ransomware sophistication
• Cyber-enabled fraud
• AI-generated phishing attacks at scale

“The threat landscape is getting more sophisticated and the ease of attack is really kind of going down… It's much easier to levy some of these attacks.”

Josh noted that while these threats are daunting, they make the case for action all the more urgent.

Why the FFIEC CAT Is Being Sunset

The FFIEC CAT, first introduced in 2015, was designed to uplift cybersecurity practices across financial services, especially for smaller institutions. Over time, however, overlapping standards and changing regulatory expectations created confusion.

As Josh explained: “The CAT came out without the realization that NIST CSF was going to be as popular as it was going to be, particularly for the financial services sector.”

In August 2024, the FFIEC formally announced that the CAT will be retired in August 2025, giving institutions just one year to transition to a new framework. Do you have a plan in place to replace the CAT?

What Comes Next: Four Frameworks to Consider

To replace the CAT, the FFIEC recommends that institutions evaluate four alternative cybersecurity frameworks:

1. NIST Cybersecurity Framework (CSF)
2. DHS CISA Cyber Performance Goals
3. CRI Profile
4. CIS Controls

Josh encourages firms to take this seriously: “Now is the time to start to talk to the regulatory community… The surprises are where it can go awry.”

Why the CRI Profile Stands Out

Josh made a compelling case for the CRI Profile as the most tailored solution for financial institutions. It combines the flexibility of NIST with the specificity of financial regulations.

“We always kind of call the profile ‘NIST for financial services.’ If you take a look at the NIST CSF and then add on some of the regulatory requirements, you get the profile.”

The CRI Profile is also globally aligned, integrating standards like IOSCO and sector-specific risk elements to foster a unified cybersecurity language critical for managing third-party risk.

A Strategic Roadmap for Financial Institutions

Transitioning away from the FFIEC CAT is not just about compliance; it’s about strengthening cyber resilience. Josh cited a useful 4-step approach inspired by cybersecurity leader Phil Venables' recent blog post :

1. Face the right direction: Evaluate the frameworks and choose a path forward
2. Cover the basics: Build foundational controls
3. Make it routine: Operationalize cybersecurity processes
4. Make it strategic: Align with business and risk goals

By following these steps, your institution can move beyond checkbox compliance to build a sustainable, resilient cybersecurity program.

Final Thoughts

With the FFIEC CAT being sunset in 2025, institutions must act now. The cybersecurity landscape isn’t waiting — and neither are regulators.

Start by assessing the four framework options, bring your findings to executive leadership, and engage your regulators early. The CRI Profile offers a compelling, sector-specific path forward.

“If you're a financial institution... it's never too early to begin that conversation.”

Stay tuned for Part 2 of this cyber security series, where Josh returns to explore the CRI Profile in more depth and dive into the broader regulatory evolution shaping financial services cybersecurity.

About The Cyber Risk Institute

The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. We’re working to protect the global economy by enhancing cybersecurity and resiliency through standardization. Our Cyber Profile tool is the benchmark for cyber security and resiliency in the financial services industry. This ever-evolving and concise list of assessment questions is curated based on the intersection of global regulations and cyber standards, such as ISO and NIST. Learn more at: https://cyberriskinstitute.org‍