Grovetta N. Gardineer
Jun 26, 2023
As cyberattacks evolve and as banks adopt various standardized tools and frameworks to assess cybersecurity preparedness, the OCC recognized the need to update its approach to cybersecurity assessment as part of the agency’s bank supervision.
The Office of the Comptroller of the Currency (OCC) recently developed and distributed the Cybersecurity Supervision Work Program for use by examiners. As cyberattacks evolve and as banks1 adopt various standardized tools and frameworks to assess cybersecurity preparedness, the OCC recognized the need to update its approach to cybersecurity assessment as part of the agency’s bank supervision.
The Cybersecurity Supervision Work Program (CSW) provides high-level examination objectives and procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. The CSW Overview page on www.occ.gov links to the CSW References page, which provides cross-references that map the CSW procedures to existing supervisory guidance and industry cybersecurity frameworks. For example, cross-references include the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the Center for Internet Security’s Critical Security Controls, and the Cyber Risk Institute’s Profile.
The CSW does not establish new regulatory expectations, and banks are not required to use this work program to assess cybersecurity preparedness. The OCC continues to encourage but does not require use of standardized approaches to assess and improve cybersecurity preparedness, and banks may choose from a variety of tools and frameworks available.2 The CSW does not change the availability of banks’ optional use of the FFIEC Cybersecurity Assessment Tool or other cybersecurity frameworks.
is designed to more effectively address evolving risks and support risk-based bank information technology examinations.
is aligned with the National Institute of Standards and Technology Cybersecurity Framework.
is informed by the FFIEC Information Technology Examination Handbook and common cybersecurity frameworks.
is designed to focus on cybersecurity preparedness and supplements the OCC’s bank information technology examination procedures contained in the “Community Bank Supervision,” “Large Bank Supervision,” and “Federal Branches and Agencies Supervision” booklets of the Comptroller’s Handbook.
Please contact Norine Richards, Director of Bank Information Technology Policy at (202) 649-6550.
Grovetta N. GardineerSenior Deputy Comptroller for Bank Supervision Policy