BlogCompliance
October 9, 2025

The FFIEC retired CAT—here’s why financial institutions are turning to CRI

Written by
Ethan Heller
GRC Subject Matter Expert
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

When the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool (CAT) in 2015, it became the industry standard for evaluating cyber readiness.

A decade later, the threat landscape has evolved—and rather than updating the CAT, the FFIEC retired it on August 31, 2025. With CAT no longer the industry's best practice, many financial institutions are asking: What’s next?

At Vanta, we recommend that financial institutions migrate to the Cyber Risk Institute (CRI) Profile. Developed in collaboration with regulators and industry leaders, the CRI Profile is a globally recognized, non-regulatory, comprehensive framework that unites overlapping cybersecurity and risk management requirements and serves as a common baseline for supervisory exams, board reporting, and third-party risk assurance.

Why migrate to the CRI Profile?

The CRI Profile was built by and for the financial services industry in partnership with regulators and leading banks. It’s designed to harmonize overlapping requirements from frameworks like NIST CSF 2.0, the EU’s DORA, Singapore’s MAS TRM Guidelines, Australia’s APRA, and the U.S.’s FFIEC, making it a natural replacement for CAT.

In fact, regulators globally are increasingly using CRI as a baseline in exams, and regulators and supervisors will increasingly expect institutions to reference the CRI Profile instead.

By starting the migration today, institutions can avoid last-minute fire drills, reuse much of their CAT evidence, and position themselves for stronger, more resilient supervisory reviews.

How the CRI Profile compares to CAT

The CRI Profile isn’t just the successor to FFIEC CAT—it’s a more comprehensive, regulator-backed framework that helps financial institutions prove readiness and resilience across jurisdictions. 

For example, the FFIEC CAT was a voluntary tool designed to help financial institutions identify cyber risks and assess their preparedness. However, its static, checkbox structure has struggled to help institutions keep pace with today’s evolving threats and increasing regulatory expectations.

The CRI Profile, on the other hand, is designed to be a more dynamic, streamlined framework with a broader security scope. For instance, the CRI Profile builds on NIST CSF 2.0 and adds depth in governance, third-party risk, and resilience, offering proportional scaling through four impact tiers:

  • Tier 1: Largest, most complex, and systemically important institutions
  • Tier 2: Mid-sized financial institutions with significant regional or cross-border operations
  • Tier 3: Smaller, often regional or specialized financial entities
  • Tier 4: Community banks, fintechs, and service providers operating at lower systemic risk levels

CRI also provides a dedicated Cloud Profile with tailored guidance for AWS, Azure, and GCP environments. 

How to replace FFIEC CAT with CRI

Transitioning doesn’t mean starting from scratch. The Cyber Risk Institute provides tools to make migration straightforward. Follow these steps to upgrade from CAT to the CRI Profile.

  1. Download the CRI Profile and the CRI Profile Mappings Catalog from the Cyber Risk Institute website.

    1. Open the “FFIEC CAT” tab in the Mappings Catalog. Here you’ll find direct mappings from each CAT statement to the corresponding CRI diagnostic statement.
  2. Determine your impact tier. CRI scales expectations across four tiers—from Tier 1 for global institutions to Tier 4 for community banks and service providers. The tiering questionnaire will tell you which level applies to you.
  3. Scope your diagnostic statements. Based on your tier, you’ll see which CRI diagnostic statements are in scope for your organization.
  4. Map your evidence. Use the Mappings Catalog to align the evidence you already collected for CAT with the relevant CRI diagnostic statements.
  5. Run your CRI assessment. With evidence mapped, continue with the CRI diagnostic assessment to identify gaps, remediate them, and prepare for supervisory exams.

Switch to CRI with Vanta 

The CRI Profile is quickly becoming the go-to security baseline for the financial sector. Vanta automates CRI alignment, which unifies frameworks like DORA, APRA, and MAS TRM. With 318 controls, four impact tiers, and AI-powered workflows, you can reduce manual work, avoid duplication, and stay resilient across global regulations and supervisory expectations.

Learn more about how Vanta can help you prove trust to regulators and customers with CRI.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Illustration of a digital compliance dashboard with a HIPAA label in the corner
HIPAA
Blog

HIPAA violations in 2025: Staff mistakes and vendor blind spots

Discover what a HIPAA violation is, common causes behind violations

SOC 2
Blog

6 Reasons your company needs a SOC 2

Learn why Vanta customers are getting their SOC 2.

Compliance
Events

Simplify Compliance and Enhance Your Customer’s Trust

Curious about why compliance is so important, which businesses need it, and how Vanta's automation can help you quickly achieve it? Join Vanta’s 45-minute live product demo where you’ll learn how Vanta goes beyond compliance to enhance your overall security and trust management.

NIS 2
Blog

ISO 27001 and NIS 2: Key differences explained

Learn about the relationship between these standards and how to achieve compliance.

Related Resources

eBook: How AI startups prove trust and scale securely with Vanta cover image
Compliance
Guide / Report
How AI startups prove trust and scale securely with Vanta

Discover how leading AI startups like Granola, Clay, and Factory scale securely, shorten sales cycles, and build customer confidence with Vanta.

Compliance
Blog
Don’t fall for these first-time compliance myths

Hear from a crew of certified experts and startup operators on first-time compliance best practices.

Compliance
Blog
How to choose compliance audit software: A buyer’s guide

Dive into our actionable guide for selecting compliance audit software. Read about key benefits, essential features, and ways to implement it efficiently.

A book with the word FedRAMP on it.
Compliance
Guide / Report
The ultimate guide to FedRAMP: A requirements guide for authorization

Learn about FedRAMP authorization, from impact levels to compliance steps, to unlock opportunities with U.S. federal agencies.

Compliance
Blog
IT compliance audit checklist: 7 steps to follow

Discover the frameworks relevant for IT audits, the main compliance areas, and a checklist to support your team.

Compliance
Blog
4 ways to scale compliance with AI

Discover how Vanta AI helps modern GRC teams scale compliance efficiently while staying audit-ready.

Compliance
Blog
Cybersecurity laws and regulations in the UK: Your guide for 2025

Explore the cybersecurity compliance landscape in the UK and get quick insights into relevant local laws and regulations, as well as cross-border compliances.

Compliance
Events
Secure from the Start: How Founders Build Compliance Into Early-Stage Growth

Hear from the Head of Information Security at Robin AI and the Co-Founder & CEO of Pavlov as they share how they embedded security and compliance into their startup journey, without slowing down innovation.

Compliance
Events
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One

Join the CFOs of Vanta and Mercury for a tactical conversation on how early-stage teams can build trust with investors and buyers, without slowing down.

Compliance
Events
Demo: Accelerate security and compliance workflows with AI

Watch on-demand to see the AI functionality within the Vanta platform and how it can simplify your compliance process.

Compliance
Blog
5 healthcare cybersecurity regulations and frameworks to follow in 2025

Discover five key healthcare cybersecurity regulations and frameworks that protect patient data. Get insights into their requirements, benefits, and overlaps.

Compliance
Blog
SOC 2 for healthcare organizations: Benefits and compliance steps

Read our guide to SOC 2 for healthcare to see if the standard can help you comply with HIPAA.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products