Federal Financial Institutions Examination Council announces two significant changes
Authors: Jason Brett and Danyel Marrs
Recently, the Federal Financial Institutions Examination Council (FFIEC) announced two significant changes that affect how financial services regulators will approach examining the information technology general controls (ITGC) at banks, credit unions, and fintech companies. These changes impact how financial institutions will design and implement controls in the affected areas of information technology (IT).
- The Development and Acquisition booklet will now be known as the Development, Acquisition, and Maintenance (DA&M) booklet. The new DA&M booklet includes an increased focus on risk management for IT systems throughout their lifecycle, whether acquired from third parties or developed in-house. It also includes newer software development standards, updated requirements for acquisition policies and procedures, and a stronger focus on system maintenance (such as change controls and preventative maintenance). Financial institutions are expected to immediately comply with its requirements.
- Effective August 31, 2025, the FFIEC’s Cybersecurity Assessment Tool (CAT) will be retired. Published in 2015, the FFIEC CAT has been the staple risk management solution for financial institutions to assess their cybersecurity maturity. Instead of maintaining the CAT with an everchanging landscape of cyber threats, controls, and regulatory guidance, the FFIEC is pushing the financial services industry towards utilizing other assessment resources and cybersecurity frameworks to measure itself against. Examples include the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0, the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals, the Cyber Risk Institute’s (CRI) Cyber Profile, or the Center for Internet Security Critical Security Controls. With no specific endorsement from the FFIEC on which assessment framework to use, institutions will need to evaluate the most appropriate for their risk assessment needs.
Not sure how to assess your organization’s compliance with the new FFIEC DA&M booklet or your cybersecurity readiness without the FFIEC CAT? Contact our Digital Risk Services team to discuss your needs and how we can help.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
