The Office of the Comptroller of the Currency has indicated in a recent bulletin that its examiners will gradually incorporate a Cybersecurity Assessment Tool into its examinations of national banks and other institutions under its regulatory purview.
Matt Rowe,
Minnesota 1997, is a shareholder in
Ruder Ware’s
Business Transactions Practice Group, where he concentrates in corporate finance and securities, mergers and acquisitions and related acquisition financings, and the representation of financial institutions in connection with regulatory and other matters.
At the same time, the Federal Deposit Insurance Corporation issued a Financial Institution Letter informing banks of a Frequently Asked Questions document relating to the Cybersecurity Assessment Tool, which was recently issued by the Federal Financial Institutions Examination Council (FFIEC).
While use of the Cybersecurity Assessment Tool is optional for banks, the recently-issued guidance makes clear that bank examiners will have an increasing level of focus on cybersecurity at banks of all sizes.
Steps to Address Cybersecurity Risks
The Cybersecurity Assessment Tool was issued in June 2015, and in its overview for chief executive officers and board members, the FFIEC indicated that boards of directors and bank management teams may want to consider, among other things, taking the following steps to address cybersecurity risk at their institution:
- Developing a plan to conduct a cybersecurity risk assessment using the Cybersecurity Risk Assessment Tool
- Establishing a target state of cybersecurity preparedness that best aligns to the board of directors’ approved risk appetite for the institution
- Approving plans to address any cybersecurity risk management and control weaknesses
- Implementing changes to ensure that the institution has achieved its desired level of cybersecurity preparedness
- Monitoring cybersecurity risk on an ongoing basis.
Questions and Answers About the Cybersecurity Assessment Tool
In its Frequently Asked Questions document, released in October 2016, the FFIEC addressed a number of issues that had been raised by bankers and other interested parties relating to the Cybersecurity Assessment Tool. The FAQs make clear that use of the Cybersecurity Assessment Tool is voluntary, and that an institution’s management may choose to use the Tool or another risk assessment process to identify inherent risk and evaluate cybersecurity preparedness.
That said, the FAQs summarize a number of benefits that an institution might see from using the tool, including the identification of factors contributing to the institution’s overall cyber risk and providing a framework for determining whether or not the institution’s cybersecurity preparedness is aligned with its inherent risk.
As is often the case with regulatory guidance like this, bank management teams may want to give strong consideration to using the Cybersecurity Assessment Tool as a means of evaluating cybersecurity risk at their institutions, particularly in an environment where it appears there will be both an increasing level of regulatory scrutiny in this area and, given the continued influence and use of technology, an increasing level of cybersecurity threats.