Managing AI and choosing the right cybersecurity framework in a faster, riskier world

Since the Federal Financial Institutions Examination Council (FFIEC) retired its Cybersecurity Assessment Tool (CAT) on August 31, 2025, financial institutions now face a critical decision: Which framework should we adopt?

For years, CAT served as the industry’s compass, guiding banks and credit unions through the maze of cyber risk. As threats are changing and attackers are moving faster, regulations are tightening, and clients are demanding resilience. In this new reality, the frameworks you choose become survival strategies. With CAT gone, is your cybersecurity strategy ready for the next wave of threats?

Annual FFIEC assessments remain a cornerstone, but the industry is shifting toward more adaptable, risk-based frameworks. NIST CSF 2.0, CRI Profile, and CIS Controls v8.1 all offer distinct advantages and a different path forward. So, which one is right for your organization?

The New Playbook

Reference the table below for an overview of the top three cybersecurity frameworks:

Your Next Move

In response to rising cyber threats, regulators and businesses are taking action to strengthen cybersecurity practices across industries. To strengthen your cyber resilience, start here:

1. Map existing controls, account for risks, and identify gaps.
2. Benchmark against industry standards.
3. Engage IT, Risk, and Audit teams to provide independent assessments.
4. Prioritize gaps based on risk exposure and business impact.
5. Create a maturity roadmap to close gaps.

Data Governance and AI Policy

Cyber resilience has expanded beyond traditional threats to include emerging risks such as algorithmic bias, automated fraud, and weaponized data. To address these challenges, policies must now cover:

• Data classification and ownership, including retention and secure disposal practices
• Ethical AI use to uphold standards and transparency
• Restricted use of public AI for confidential data
• Incident response and continuity, covering breach notification, data availability, backup, and recovery
• Data risk assessments and documentation for the likelihood of data loss events and resulting mitigation measures

We Can Help

Frameworks like NIST CSF 2.0, CRI Profile, and CIS Controls v8.1 are strategic tools for building resilience and driving innovation. The right choice depends on your organization’s size, regulatory environment, and risk appetite.

At Elliott Davis, we help organizations:

• Evaluate current security frameworks
• Assess AI adoption and related risks against business objectives
• Engage cross-functional teams to determine the best path forward
• Update policies and procedures to support AI and cybersecurity practices
• Build a roadmap that positions cybersecurity as a catalyst for trust and growth

Ready to take the next step? Contact us today to get started.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.