Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Risk & Compliance
Vulnerabilities

OCC calls for comments on FFIEC cybersecurity assessment tool for financial services sector

August 08, 2022
OCC calls for comments on FFIEC cybersecurity assessment tool for financial services sector

The Office of the Comptroller of the Currency (OCC) has once again invited comments on behalf of itself, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) on the renewal of the information collection of the FFIEC Cybersecurity Assessment Tool. The OCC is also ‘giving notice that it has sent the collection to OMB for review.’ 

Comments must be submitted on or before Sept. 7, 2022, according to a notice published in the Federal Register on Monday. In addition, the OCC invites feedback concerning the FFIEC Cybersecurity Assessment Tool on whether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility; and the accuracy involved in the agencies’ estimates of the burden of the collection of information. 

It also looks into ways to enhance the quality, utility, and clarity of the information to be collected; measures to minimize the burden of the collection on respondents, including using automated collection techniques or other forms of information technology. It also estimates capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

The FFIEC Cybersecurity Assessment Tool has been designed to assist financial institutions of all sizes in assessing their inherent cyber risks and risk management capabilities. It allows a financial institution to identify its inherent cyber risk profile based on technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and cyber threats it is likely to face. The financial services sector is one of the 16 critical infrastructure sectors in the U.S, as large-scale power outages, recent natural disasters, and increases in cyberattacks demonstrate potential risks facing the sector. 

Last year, the U.S. administration made an ‘Insider Risk Self-Assessment’ tool available for critical infrastructure and the organizations that keep infrastructure operational. In addition, it released a cybersecurity information sheet that covers the selection and hardening of standards-based remote access VPN solutions to help secure the Department of Defense (DoD), national security systems, and the Defense Industrial Base (DIB). It also released a new module called the Ransomware Readiness Assessment (RRA) within its CSET tool. The RRA package allows for self-assessment and is based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.

With the evolution and increase in frequency and sophistication of cyber threats continue to financial institutions, given their exposure to cyber risks, cyberattacks on financial institutions may result in unauthorized access to, and the compromise of, confidential information, as well as the destruction of critical data and systems. Disruption, degradation, or unauthorized alteration of information and systems can affect a financial institution’s operations and core processes and undermine confidence in the nation’s financial services sector. Absent immediate attention to these rapidly increasing threats, individual financial institutions, and the whole financial sector is at risk.

Given the risk factor to the financial sector, the OCC, the Board of Governors of the Federal Reserve System, the FDIC, and the NCUA came together under the auspices of the Federal Financial Institutions Examination Council (FFIEC). As a result, the agencies acted to assess and enhance the financial industry’s cyber preparedness state, improve the agencies’ examination procedures, and train to strengthen financial industry cybersecurity readiness oversight. The agencies also have focused on providing financial institutions with resources that can assist in protecting them and their customers from the growing risks posed by cyberattacks.

“Once a financial institution identifies its inherent cyber risk profile, it can use the tool’s maturity matrix to evaluate its level of cybersecurity preparedness based on its cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resiliency planning,” the Federal Register notice said. “A financial institution may use the matrix’s maturity levels to identify opportunities for improving its cyber risk management based on its inherent risk profile.” 

The tool also enables a financial institution to rapidly identify areas that could improve the financial institution’s cyber response programs as appropriate. However, the use of the tool by financial institutions is voluntary.

On May 31, 2022, the OCC published a notice for 60 days of comment concerning this collection and received one comment from a trade association, which generally recognized that the FFIEC Cybersecurity Assessment Tool may be useful for community banks and included several recommendations for consideration. However, the association stated that the tool should remain voluntary and that institutions should not be required to use a specific tool or to switch tools.

The financial institutions’ use of the FFIEC Cybersecurity Assessment Tool is voluntary. While FFIEC members have emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness, they have also recognized that institutions may choose from various standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. The trade association also suggested that the agencies work with the trade association and community banks to update the FFIEC Cybersecurity Assessment Tool.

The trade association also suggested that the agencies provide non-attributable reports and statistical analyses based on information collected. Since the use of the FFIEC Cybersecurity Assessment Tool by financial institutions is voluntary and may vary across financial institutions, the agencies do not intend to publish or otherwise make publicly available the results of the use of the tool by financial institutions. However, through the FFIEC, the agencies regularly issue statements and alerts regarding threats and vulnerabilities and provide additional resources.

The U.S. administration recently issued a memorandum that outlines the cross-agency cyber investment priorities of President Joe Biden’s administration. It calls upon federal civilian executive branch (FCEB) agencies to make investments across three cyber priorities, including improving the defense and resilience of government networks, deepening cross-sector collaboration while protecting critical infrastructure, and boosting the foundations of a digitally-enabled future.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base