OCC Bulletin 2015-31| June 30, 2015
Cybersecurity: FFIEC Cybersecurity Assessment Tool
Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, has issued a Cybersecurity Assessment Tool (Assessment) that institutions may use to evaluate their risks and cybersecurity preparedness. The Office of the Comptroller of the Currency (OCC) examiners will gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies (collectively, banks) of all sizes.
The Assessment helps banks and examiners determine a bank's inherent risk profile and level of cybersecurity preparedness. The results may be reviewed to determine whether the bank's cybersecurity maturity levels align with the bank's inherent risk profile. In addition to the Assessment, the FFIEC has also made available resources institutions may find useful, including an executive overview, a user's guide, an online presentation explaining the Assessment, and appendixes mapping the Assessment's baseline items to the FFIEC Information Technology (IT) Examination Handbook and to the National Institute of Standards and Technology's (NIST) Cybersecurity Framework.
Note for Community Banks
The Assessment is designed for banks of all sizes and incorporates concepts and principles contained in the FFIEC IT Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and concepts from well-known industry standards, such as the NIST Cybersecurity Framework. The statements included in the baseline level of maturity are consistent legal and regulatory requirements and minimum risk management and control expectations outlined in the FFIEC IT Examination Handbook.
There are two parts to the Assessment: an inherent risk profile and cybersecurity maturity.
- Inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank's technologies and connections, delivery channels, products and services, organizational characteristics, and external threats—notwithstanding the bank's risk-mitigating controls.
- Cybersecurity maturity is evaluated in five domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative. A bank's appropriate cybersecurity maturity levels depend on its inherent risk profile.
The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.
- While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution's inherent risk, risk management practices, and controls related to cybersecurity.
- OCC examiners will begin incorporating the Assessment into examinations in late 2015.
- The OCC will host a webinar for midsize and community bankers on July 30, 2015, from 2:00 p.m. to 3:30 p.m. (ET). For more information, please visit BankNet.
In summer 2014, FFIEC members piloted a cybersecurity examination work program (Cybersecurity Risk Assessment) at more than 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. The Cybersecurity Risk Assessment supplemented existing examination work planned for each institution. The Cybersecurity Risk Assessment resulted in the establishment of seven workstreams, as the FFIEC announced earlier this year. In addition to releasing the Assessment, the FFIEC members plan to enhance their incident analysis, crisis management, training, and policy development, as well as their focus on technology service providers' cybersecurity preparedness. The FFIEC and its members also will continue to improve their collaboration with other government agencies and communicate about the importance of cybersecurity awareness and best practices among financial industry participants and regulators.
Please contact Valerie Abend, Senior Critical Infrastructure Officer, Operational Risk Division, at (202) 649 6550.
Bethany A. Dugan
Deputy Comptroller for Operational Risk
1 The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.