Texas Department of Banking gives notice on FFIEC

In an industry notice released today, the Texas Department of Banking stated that the Federal Financial Institutions Examination Council (FFIEC) will sunset its Cybersecurity Assessment Tool (CAT) effective August 31, 2025.

“While we recognize that the CAT may be an integral part of your cybersecurity risk management practices, weaknesses in the CAT have emerged with the passage of time, and other resources are now available to provide a more comprehensive and current evaluation of cybersecurity risks and preparedness posture for your institution,” the Texas DOB’s notice states.

“We encourage you to consider selecting an alternative tool for evaluating cybersecurity risks and preparedness posture as soon as possible,”the Department says as the agency requires state-chartered banks to assess their cybersecurity maturity annually.

The Department says it does not endorse the use of any specific tool. However, it provided a listing of available government and industry-developed resources:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0
• Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals
• Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals for the Financial Sector (coming later in 2024)
• Cyber Risk Institute (CRI) Cyber Profile
• Center for Internet Security Critical Security Controls

State-chartered banks should contact Ms. Ruth Norris, Director of IT Security Examinations, with any questions about this important notice.