Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

PAL Login

linkedin.jpgyoutube.jpgvimeo.jpgtwitter_off.png View Ruder Ware

Banking and Financial Matters Blog

Cybersecurity Risk: Latest Guidance from Bank Examiners

Authored by Matthew D. Rowe
Posted on December 1, 2016
Filed under Banking and Financial Matters

The Office of the Comptroller of the Currency has indicated in a recent bulletin that its examiners will gradually incorporate a Cybersecurity Assessment Tool into its examinations of national banks and other institutions under its regulatory purview.  At the same time, the Federal Deposit Insurance Corporation issued a Financial Institution Letter informing banks of a Frequently Asked Questions document relating to the Cybersecurity Assessment Tool, which was recently issued by the Federal Financial Institutions Examination Council (FFIEC).  While use of the Cybersecurity Assessment Tool is optional for banks, the recently-issued guidance makes clear that bank examiners will have an increasing level of focus on cybersecurity at banks of all sizes.

The Cybersecurity Assessment Tool was issued in June 2015, and, in its overview for chief executive officers and board members, the FFIEC indicated that boards of directors and bank management teams may want to consider, among other things, taking the following steps to address cybersecurity risk at their institution:

  • Developing a plan to conduct a cybersecurity risk assessment using the Cybersecurity Risk Assessment Tool
  • Establishing a target state of cybersecurity preparedness that best aligns to the board of directors’ approved risk appetite for the institution
  • Approving plans to address any cybersecurity risk management and control weaknesses
  • Implementing changes to ensure that the institution has achieved its desired level of cybersecurity preparedness
  • Monitoring cybersecurity risk on an ongoing basis.

In its Frequently Asked Questions document, released in October 2016, the FFIEC addressed a number of issues that had been raised by bankers and other interested parties relating to the Cybersecurity Assessment Tool.  The FAQs make clear that use of the Cybersecurity Assessment Tool is voluntary, and that an institution’s management may choose to use the Tool or another risk assessment process to identify inherent risk and evaluate cybersecurity preparedness.  That said, the FAQ’s summarize a number of benefits that an institution might see from using the tool, including the identification of factors contributing to the institution’s overall cyber risk and providing a framework for determining whether or not the institution’s cybersecurity preparedness is aligned with its inherent risk.

As is often the case with regulatory guidance like this, bank management teams may want to give strong consideration to using the Cybersecurity Assessment Tool as a means of evaluating cybersecurity risk at their institutions, particularly in an environment where it appears there will be both an increasing level of regulatory scrutiny in this area and, given the continued influence and use of technology, an increasing level of cybersecurity threats.