OCC Releases Guidance on Cybersecurity Supervision

  • The Office of the Comptroller of the Currency (OCC) encourages the adoption of standardized approaches to cybersecurity preparedness.
  • The new guidance does not change regulatory expectations, and banks may continue to leverage alternative cybersecurity frameworks.
  • Banks should evaluate cybersecurity practices amidst increasing threats and supervisory focus.

On June 26, the OCC issued Bulletin 2023-22 Cybersecurity: Cybersecurity Work Program. The new Cybersecurity Supervision Work Plan (CSW) “provides high-level examination objectives and procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF).” The CSW is structured according to the five NIST-CSF functions—Identify, Protect, Detect, Respond, and Recover—and the related categories and subcategories. The OCC clarified that it sets no new regulatory expectations with the issuance of the CSW, and the OCC may use the CSW procedures during examinations.

Cybersecurity Supervision Work Plan Highlights

The CSW contains procedures for examiners and acts as a supplement to procedures contained in the OCC Comptroller’s Handbook and Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook booklets.

Since it was designed with NIST-CSF in mind, many of the expectations in the CSW will look familiar to financial institution cybersecurity professionals. In addition to many longstanding cybersecurity examination procedures, the CSW explained that examiners will:

  • Scrutinize risk appetite: Examiners will “Evaluate the effectiveness of processes used to determine risk appetite and risk tolerance for cybersecurity” and “Determine whether management considers and incorporates the bank’s role as part of critical infrastructure when establishing risk appetite or risk tolerances.”
  • Evaluate data security controls: The CSW indicated that examiners would analyze controls for remote access, network segmentation, encryption practices, key management, electronic media, mobile device management, data loss protection, and capacity and hardware integrity.
  • Encourage industry cybersecurity cooperation: In the event of an incident, examiners will “Evaluate information sharing arrangements to assess the effectiveness of sharing threats and countermeasures with other external stakeholders in order to support sector-wide situational awareness and response to incidents.”
  • Focus on internal software development processes: This element of the CSW is OCC-specific and not based on NIST-CSF. Examiners will evaluate internal software development activities, including code development security processes and the adequacy of practices for remediating code vulnerabilities.

Impact on Bank Cybersecurity Preparedness

The Bulletin is a recent example of the OCC’s nimble approach to supervising the ever-changing cybersecurity environment, threats, and associated risk management. NIST, a division of the U.S. Commerce Department, is very proactive in updating its frameworks, given its insight and responsibilities in the cybersecurity arena. By not only incorporating the cybersecurity insight the OCC maintains across the institutions they supervise, the OCC looks more broadly at the banking system for evolving threats and risk management practices.

The OCC’s Semiannual Risk Perspective (SARP) routinely discusses evolving cybersecurity challenges in each issuance. For example, the Spring 2023 SARP Special Topic “Investments in Technology Infrastructure” discusses challenges across aging infrastructure that can result in cybersecurity vulnerabilities and maintenance challenges, such as material outages to employees and customers. The Spring 2023 SARP also discusses several types of defenses that banks should consider incorporating into their cybersecurity frameworks. These include multifactor authentication, hardening of systems configurations, timely patch management practices, and backup testing for key systems.

Banks should review cybersecurity policies and procedures against the supervisory guidance described in the CSW. Bank should notably assess whether the bank’s cybersecurity framework is not designed in alignment with the NIST-CSF framework. The OCC’s CSW enables institutions with tools to better accomplish this objective. Policies and procedures should incorporate discussion of internal software development processes in line with OCC-specific expectations.

The CSW also contains several references to cybersecurity risks posed by third-party service providers, which has been an ongoing emphasis in OCC’s 2013 and 2020 guidance, rescinded in June 2023 in favor of Interagency Guidance on Third-Party Relationships: Risk Management. Banks should understand and evaluate potential cybersecurity vulnerabilities and associated risk management of critical third-party relationships. They should consider improving their third-party risk management processes to strengthen internal third-party risk management and share with supervisors.

Put Patomak’s Expertise to Work

Patomak has deep expertise in assessing the quality of cybersecurity programs at banks, broker-dealers, investment advisers, swap dealers, and other financial firms. Our expertise provides clients with an avenue for assessing and identifying enhancement opportunities for cybersecurity risk governance, control functions, MIS, audit quality, and third-party risk management.

If you would like to learn more about how Patomak can partner with you, please contact John Vivian, Senior Director, at jvivian@patomak.com.