An official website of the United States government
OCC Bulletin 2015-31
June 30, 2015
Share This Page:
Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, has issued a Cybersecurity Assessment Tool (Assessment) that institutions may use to evaluate their risks and cybersecurity preparedness. The Office of the Comptroller of the Currency (OCC) examiners will gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies (collectively, banks) of all sizes.
The Assessment helps banks and examiners determine a bank's inherent risk profile and level of cybersecurity preparedness. The results may be reviewed to determine whether the bank's cybersecurity maturity levels align with the bank's inherent risk profile. In addition to the Assessment, the FFIEC has also made available resources institutions may find useful, including an executive overview, a user's guide, an online presentation explaining the Assessment, and appendixes mapping the Assessment's baseline items to the FFIEC Information Technology (IT) Examination Handbook and to the National Institute of Standards and Technology's (NIST) Cybersecurity Framework.
The Assessment is designed for banks of all sizes and incorporates concepts and principles contained in the FFIEC IT Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and concepts from well-known industry standards, such as the NIST Cybersecurity Framework. The statements included in the baseline level of maturity are consistent legal and regulatory requirements and minimum risk management and control expectations outlined in the FFIEC IT Examination Handbook.
There are two parts to the Assessment: an inherent risk profile and cybersecurity maturity.
The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.
In summer 2014, FFIEC members piloted a cybersecurity examination work program (Cybersecurity Risk Assessment) at more than 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. The Cybersecurity Risk Assessment supplemented existing examination work planned for each institution. The Cybersecurity Risk Assessment resulted in the establishment of seven workstreams, as the FFIEC announced earlier this year. In addition to releasing the Assessment, the FFIEC members plan to enhance their incident analysis, crisis management, training, and policy development, as well as their focus on technology service providers' cybersecurity preparedness. The FFIEC and its members also will continue to improve their collaboration with other government agencies and communicate about the importance of cybersecurity awareness and best practices among financial industry participants and regulators.
Please contact Valerie Abend, Senior Critical Infrastructure Officer, Operational Risk Division, at (202) 649 6550.
Bethany A. Dugan
Deputy Comptroller for Operational Risk
1 The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.