By Matthew D. Rowe
December 1, 2016
The Office of the Comptroller of the Currency has indicated in a recent bulletin that its examiners will gradually incorporate a Cybersecurity Assessment Tool into its examinations of national banks and other institutions under its regulatory purview. At the same time, the Federal Deposit Insurance Corporation issued a Financial Institution Letter informing banks of a Frequently Asked Questions document relating to the Cybersecurity Assessment Tool, which was recently issued by the Federal Financial Institutions Examination Council (FFIEC). While use of the Cybersecurity Assessment Tool is optional for banks, the recently-issued guidance makes clear that bank examiners will have an increasing level of focus on cybersecurity at banks of all sizes.
The Cybersecurity Assessment Tool was issued in June 2015, and, in its overview for chief executive officers and board members, the FFIEC indicated that boards of directors and bank management teams may want to consider, among other things, taking the following steps to address cybersecurity risk at their institution:
- Developing a plan to conduct a cybersecurity risk assessment using the Cybersecurity Risk Assessment Tool
- Establishing a target state of cybersecurity preparedness that best aligns to the board of directors’ approved risk appetite for the institution
- Approving plans to address any cybersecurity risk management and control weaknesses
- Implementing changes to ensure that the institution has achieved its desired level of cybersecurity preparedness
- Monitoring cybersecurity risk on an ongoing basis.
In its Frequently Asked Questions document, released in October 2016, the FFIEC addressed a number of issues that had been raised by bankers and other interested parties relating to the Cybersecurity Assessment Tool. The FAQs make clear that use of the Cybersecurity Assessment Tool is voluntary, and that an institution’s management may choose to use the Tool or another risk assessment process to identify inherent risk and evaluate cybersecurity preparedness. That said, the FAQ’s summarize a number of benefits that an institution might see from using the tool, including the identification of factors contributing to the institution’s overall cyber risk and providing a framework for determining whether or not the institution’s cybersecurity preparedness is aligned with its inherent risk.
As is often the case with regulatory guidance like this, bank management teams may want to give strong consideration to using the Cybersecurity Assessment Tool as a means of evaluating cybersecurity risk at their institutions, particularly in an environment where it appears there will be both an increasing level of regulatory scrutiny in this area and, given the continued influence and use of technology, an increasing level of cybersecurity threats.
The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.
© 2022 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.