Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, October 18, 2016

FAQ guide for cybersecurity tool will help banks evaluate risk

By Colleen M. Svelnis, J.D.

The Office of the Comptroller of the Currency plans to gradually incorporate a Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC) into examinations of national banks, federal savings associations, and federal branches and agencies. To that end, the FFIEC and OCChave released Frequently Asked Questions about the assessment tool to assist examiners and banks. The FAQs incorporate questions from bankers on how to use the tool. The Federal Deposit Insurance Corporation also issued a Financial Institution Letter informing banks of the availability of the FAQs.

The assessment tool is intended for banks of all sizes to evaluate their risks and cybersecurity preparedness.According to the FFIEC, it provides a repeatable and measurable process that financial institutions may use to measure their cybersecurity preparedness over time.

The assessment tool incorporates concepts and principles contained in the FFIEC Information Technology Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and well-known industry standards, such as the National Institute of Standards and Technology’s Cybersecurity Framework. Use of the assessment tool is voluntary.

The assessment contains both an inherent risk profile and cybersecurity maturity. The inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, notwithstanding the bank’s risk-mitigating controls. Cybersecurity maturity is evaluated in five domains. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.

Value of tool. The assessment tool can be used by management help with oversight of the bank’s cybersecurity by:

  • identifying factors contributing to and determining the institution’s overall cyber risk;

  • assessing the institution’s cybersecurity preparedness;

  • evaluating whether the institution’s cybersecurity preparedness is aligned with its inherent risks;

  • determining risk management practices and controls that are needed or require enhancement and actions to be taken to achieve the desired state; and

  • informing risk management strategies.

MainStory: TopStory BankingOperations CyberPrivacyFeed IdentityTheft Privacy

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.