On December 10, 2014, Valerie Abend, Senior Critical Infrastructure Officer for the Office of the Comptroller of the Currency (OCC) testified before the U.S. Senate Committee on Banking, Housing, and Urban Affairs on the OCC’s cyber-risk framework and recent OCC and Federal Financial Institutions Examination Council (FFIEC) cybersecurity initiatives. The OCC’s testimony serves as a reminder to community banks and other financial institutions that information sharing should be a component of a bank’s risk governance framework and that improved information sharing activities with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and other industry groups are among the most effective processes to identify, respond to, and mitigate cybersecurity threats and vulnerabilities.

OCC Supervisory Framework

Community banks should incorporate the elements of the OCC’s cybersecurity supervisory framework into their own risk governance framework. According to Ms. Abend’s testimony, the OCC’s cybersecurity supervisory framework is built around four key elements. The first is the OCC’s ongoing monitoring and information sharing with other regulators, government agencies, and banks with respect to emerging threats and changes to the risk landscape. The second is the OCC’s development and continual refinement of standards and guidance that set forth supervisory expectations as to how banks and third-party service providers can best safeguard bank and bank customer information. The third key component is the agency’s communication of these supervisory expectations to examiners and bank management through training and other forms of communication. The final component of the framework is the implementation of policy through on-site examination of banks and critical third-party service providers to assess their compliance with our supervisory expectations to ensure that they are appropriately managing risks, and when necessary, directing them to take corrective action. By aligning the bank’s risk governance framework with the OCC’s supervisory expectations, community banks will mitigate compliance risk and be better prepared to respond to any matters identified by the OCC or other banking agency examiners.

FFIEC Initiatives

In addition to alerts regarding threats posed by ATM cash-out schemes and distributed denial of service attacks, as well as the “Heartbleed” and “Shellshock” vulnerabilities, FFIEC’s most significant recent initiative was a new cybersecurity examination work program (the Cybersecurity Assessment) at more than 500 community bank and other financial institutions. The Cybersecurity Assessment evaluated the complexity of each institution’s operating environment, focusing on such factors as the types of connections employed, products and services offered, and technologies used. It also assessed each institution’s overall cybersecurity preparedness, with a focus on the following key areas: Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. After reviewing the results from the Cybersecurity Assessment, on November 3, 2014, FFIEC released its Cybersecurity Assessment General Observations (General Observations) and Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (Cybersecurity Sharing Statement). Consistent with the OCC’s testimony before the Senate, both of FFIEC’s General Observations and Cybersecurity Sharing Statement emphasized that community banks and institutions of all sizes must participate in FS-ISAC to maintain sufficient awareness of cybersecurity threats posed to their institutions and to comply with the cyber-risk management processes documented in their risk governance framework.

Click here for a link to the OCC’s testimony before the Senate Banking Committee.