Skip to main content
OCC Flag

An official website of the United States government

OCC Bulletin 2023-22 | June 26, 2023

Cybersecurity: Cybersecurity Supervision Work Program

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Office of the Comptroller of the Currency (OCC) recently developed and distributed the Cybersecurity Supervision Work Program for use by examiners. As cyberattacks evolve and as banks1 adopt various standardized tools and frameworks to assess cybersecurity preparedness, the OCC recognized the need to update its approach to cybersecurity assessment as part of the agency’s bank supervision. The Cybersecurity Supervision Work Program (CSW) provides high-level examination objectives and procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. The CSW Overview page on www.occ.gov links to the CSW References page, which provides cross-references that map the CSW procedures to existing supervisory guidance and industry cybersecurity frameworks. For example, cross-references include the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the Center for Internet Security’s Critical Security Controls, and the Cyber Risk Institute’s Profile.

The CSW does not establish new regulatory expectations, and banks are not required to use this work program to assess cybersecurity preparedness. The OCC continues to encourage but does not require use of standardized approaches to assess and improve cybersecurity preparedness, and banks may choose from a variety of tools and frameworks available.2 The CSW does not change the availability of banks’ optional use of the FFIEC Cybersecurity Assessment Tool or other cybersecurity frameworks.

Note for Community Banks

Examiners may use the CSW’s examination procedures during examinations of a community bank’s cybersecurity preparedness.

Highlights

The CSW

  • is designed to more effectively address evolving risks and support risk-based bank information technology examinations.
  • is aligned with the National Institute of Standards and Technology Cybersecurity Framework.
  • is informed by the FFIEC Information Technology Examination Handbook and common cybersecurity frameworks.
  • is designed to focus on cybersecurity preparedness and supplements the OCC’s bank information technology examination procedures contained in the “Community Bank Supervision,” “Large Bank Supervision,” and “Federal Branches and Agencies Supervision” booklets of the Comptroller’s Handbook.

Further Information

Please contact Norine Richards, Director of Bank Information Technology Policy at (202) 649-6550.

 

Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy

Related Links

1 “Banks” refers collectively to national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations.

2 Refer to Federal Financial Institution Examination Council press release titled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness,” August 28, 2019.

Topic(s):