Frequently Asked Questions on the FFIEC Cybersecurity Assessment Tool
October 18, 2016 / Source: OCC
OCC BULLETIN 2016-34
Date: October 17, 2016
To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, issued a Cybersecurity Assessment Tool (Assessment) that financial institutions may use to evaluate their risks and cybersecurity preparedness. At the same time, the Office of the Comptroller of the Currency (OCC) announced that examiners will gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies (collectively, banks) of all sizes. Appendix A of this bulletin contains answers to frequently asked questions (FAQ) that bankers have posed to OCC examiners and policy staff members. Separately, this bulletin includes additional answers to FAQs that the FFIEC recently issued on behalf of its members. The OCC and FFIEC answers are designed to foster further industry and examiner understanding of the Assessment.
Note for Community Banks
The Assessment is designed for banks of all sizes and incorporates concepts and principles contained in the FFIEC Information Technology Examination Handbook,regulatory guidance, applicable laws and regulations, FFIEC joint statements, and well-known industry standards, such as the National Institute of Standards and Technology’s Cybersecurity Framework.
The FAQs incorporate questions from bankers, including community bankers, on how to use the Assessment.
This bulletin includes
- the OCC FAQs for OCC examiners and banks that choose to use the Assessment.
- the FFIEC FAQs for banks that choose to use the Assessment.
The OCC has implemented the Assessment as part of the bank examination process to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for banks, OCC examiners will continue to use the Assessment to supplement examination work to gain a more complete understanding of banks’ inherent risk, risk management practices, and controls related to cybersecurity.
The Assessment comprises two parts: an inherent risk profile and cybersecurity maturity.
- Inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats, notwithstanding the bank’s risk-mitigating controls.
- Cybersecurity maturity is evaluated in five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.
Please contact the Operational Risk Division at (202) 649-6550.
Bethany A. Dugan
Deputy Comptroller for Operational Risk