Maine BFI Bulletin 80: FFIEC Cybersecurity Tool Sunset

BUREAU OF FINANCIAL INSTITUTIONS Department of Professional and Financial Regulation State of Maine June 30, 2025 Bulletin #80 Cybersecurity Assessments- Notice of the Sunset of the FFIEC Cybersecurity Assessment Tool on August 31, 2025. To the Chief Executive Officer Addressed: This Bulletin has been updated to reflect the upcoming sunset of the FFIEC’s Cybersecurity Assessment Tool (CAT) and outline the Bureau’s continuing expectations regarding cybersecurity assessments. The FFIEC previously developed and published the CAT as a voluntary method to assist financial institutions in measuring their inherent risks to cyber threats and measuring their cybersecurity maturity (preparedness). The Bureau encouraged use of the FFIEC CAT when it issued Bulletin 80 on October 16, 2015. Despite the sunset of the CAT, the Bureau still expects that financial institutions adopt methods for assessing their cybersecurity preparedness and incorporate appropriate cybersecurity measures into their information security program. The FFIEC continues to provide resources to help financial institutions manage cybersecurity risks. As financial institutions develop and revise their cybersecurity programs, the Bureau encourages the use of the latest recommended resources from the FFIEC, which include guidance and recommendations from the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). More information from FFIEC can be found at: https://www.ffiec.gov/resources/cybersecurity-awareness. Bureau examination staff will continue to review an institution’s cybersecurity measures as a part of its information security program and understands that the measures adopted by an institution may change over time as cyber threats and the associated industry guidance continue to evolve.

/s/ Lloyd P. LaFountain III Superintendent Note: This bulletin is intended solely for informational purposes. It is not intended to set forth legal rights, duties or privileges nor is it intended to provide legal advice. Readers are encouraged to consult applicable statutes and regulations and to contact the Bureau of Financial Institutions if additional information is needed.