An official website of the United States government
OCC Bulletin 2016-34
October 17, 2016
Share This Page:
Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, issued a Cybersecurity Assessment Tool (Assessment) that financial institutions may use to evaluate their risks and cybersecurity preparedness. At the same time, the Office of the Comptroller of the Currency (OCC) announced that examiners will gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies (collectively, banks) of all sizes. Appendix A of this bulletin contains answers to frequently asked questions (FAQ) that bankers have posed to OCC examiners and policy staff members. Separately, this bulletin includes additional answers to FAQs that the FFIEC recently issued on behalf of its members. The OCC and FFIEC answers are designed to foster further industry and examiner understanding of the Assessment.
The Assessment is designed for banks of all sizes and incorporates concepts and principles contained in the FFIEC Information Technology Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and well-known industry standards, such as the National Institute of Standards and Technology's Cybersecurity Framework.
The FAQs incorporate questions from bankers, including community bankers, on how to use the Assessment.
This bulletin includes
The OCC has implemented the Assessment as part of the bank examination process to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for banks, OCC examiners will continue to use the Assessment to supplement examination work to gain a more complete understanding of banks' inherent risk, risk management practices, and controls related to cybersecurity.
The Assessment comprises two parts: an inherent risk profile and cybersecurity maturity.
Please contact the Operational Risk Division at (202) 649-6550.
Bethany A. Dugan
Deputy Comptroller for Operational Risk
The OCC examiners and policy staff members have received several requests from bankers to clarify points on the OCC's use of the Assessment and supporting materials. This bulletin provides answers to FAQs from bankers.
OCC examiners began incorporating the Assessment into safety and soundness and information technology examinations in late 2015. Examiners will continue to use the Assessment to supplement examination processes going forward and will have completed the first iteration at all banks by the end of supervisory year 2017.
Banks' ability to understand and mitigate cyber threats is critical to the safe and sound operation of those banks and the federal banking system. That is why the OCC is incorporating the Assessment into its examination process.
While use of the Assessment is optional for banks, OCC examiners will continue to use the Assessment to supplement examination work to gain a more complete understanding of banks' inherent risk, risk management practices, and controls related to cybersecurity, as well as to inform future supervisory work and policy development.
Before examinations, examiners will send banks request letters that highlight specific information that examiners will need to conduct the examinations efficiently and effectively using the Assessment.
The OCC is sensitive to the time and effort new examination procedures and processes may necessitate. The OCC is prepared to work with banks to minimize that burden when possible while ensuring bank management and staff members have an appropriate level of cyber awareness and banks have appropriate processes and controls in place for their inherent risk profiles and risk tolerances.
Banks' use of the Assessment is optional. OCC examiners will not require banks to complete the Assessment. For banks that have completed the Assessment, however, examiners may ask for a copy of the Assessment as they would for any risk self-assessment that banks perform. Banks may use the Assessment or any other framework or process to identify their inherent risk and cybersecurity preparedness.
No. Completion of the Assessment by banks is voluntary, and there is no requirement to submit an Assessment to the OCC. For banks that voluntarily complete the Assessment, in total or in part, or any other cyber risk assessment, however, examiners may ask for a copy as they would for any other risk self-assessment that banks perform.
OCC examiners will discuss any observations derived from the Assessment and other examination procedures with bank management. OCC examiners will update the Assessment data during subsequent examinations.
During examinations, if examiners identify issues or concerns that banks do not meet existing legal requirements or supervisory expectations established through FFIEC or OCC guidance for safe and sound operations, the examiners will inform bank management of the concerns and necessary corrective actions.
There is no maturity level expectation for banks. Examiners will discuss observations derived from the Assessment and other examination procedures with bank management. If examiners identify policies or practices that do not meet existing legal requirements or supervisory expectations for safe and sound operations, the examiners will inform bank management of the concerns and necessary corrective actions. Examiners generally will not cite levels of maturity per se as concerns identified for bank management's attention. Also see question 10.
Declarative statements at the baseline maturity level include legal and regulatory requirements and minimum risk management and control expectations outlined in the FFIEC Information Technology (IT) Examination Handbook. Most banks should be capable of achieving the baseline maturity in each domain. When a bank has not achieved a baseline declarative statement or, on a broader scale, has not achieved a baseline maturity in a domain, OCC examiners will discuss the situation with bank management to understand what steps management is taking to implement compensating controls to address cybersecurity risk.
The Assessment and IT audit serve similar purposes involving sound governance, risk management, and controls. An IT audit program evaluates risk management practices, internal control systems, and compliance with corporate policies concerning IT-related risks. The Assessment is a repeatable process that focuses on cybersecurity preparedness based on a bank's inherent risk. To assist in voluntary completion of the Assessment, bank management may find audits, control tests, and other assessments helpful in deciding which declarative statements apply in their environment.
The OCC always encourages banks to have open dialogue with their examiners regarding self-identified issues. Sharing this information helps the examiners understand banks' self-identified strengths and concerns.
The examiners will discuss those differences with bank management to understand the basis for the variance.
1 The FFIEC comprises the principals of the following: the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.
2 D3.PC.SC.B.1: "Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards." D3.PC.SC.E.1: "Security testing occurs at all post-design phases of the SDLC for all applications, including mobile applications."