DEPOSITORY DIVISION

ADVISORY LETTER 2024-01

SEPTEMBER 9, 2024

TO: Indiana State-Chartered Banks

FROM: Christopher C. Dietz, Deputy Director, Depository Institutions

RE: Advisory on FFIEC Cybersecurity Assessment Tool Sunset

Risks around cybersecurity are ever-changing, and bad actors continue to find innovative ways to wreak havoc on financial institutions. As risk management threats and needs change over time, regulatory agencies encourage financial institutions to continually assess their inherent risk profile and evaluate the adequacy of the tools used to assess cyber readiness. Regulators have never prescribed a specific tool to evaluate a financial institution’s cybersecurity risk and maturity readiness, as multiple industry or institution-developed tools and industry best practice guidelines may serve individual financial institutions’ needs. However, we recognize that some financial institutions have chosen to use the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT). The CAT, which once served as a beneficial resource, has become outdated due to gaps that no longer address today’s risk preparedness objectives. States advocated for the agencies to update the CAT; however, ultimately, the determination was made that the tool is past its beneficial life. As a result, the FFIEC recently announced that the CAT will sunset effective August 31, 2025.

Given the FFIEC identified gaps in the CAT, the Department strongly recommends that your institution select an alternative tool as soon as possible, as we will not consider the CAT, in its current form, an appropriate tool after the August 31, 2025 sunset date. Other tools from government and industry-developed resources provide a current comprehensive evaluation of cybersecurity risks and maturity readiness. While the Department does not endorse the use of any specific tool, there are several alternatives, including:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0
• Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals
• Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals for the Financial Sector (coming later in 2024)
• Cyber Risk Institute (CRI) Cyber Profile
• Center for Internet Security Critical Security Controls

Please contact IDFI IT Program Lead Kevin Stouder (kstouder@dfi.in.gov) with any questions.