OCC Bulletin 2020-5| January 16, 2020
Cybersecurity: Joint Statement on Heightened Cybersecurity Risk
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) today issued a joint statement on heightened cybersecurity risk to remind supervised financial institutions of sound cybersecurity risk management principles. These principles elaborate on standards in the Interagency Guidelines Establishing Information Security Standards1 and in resources provided by the Federal Financial Institutions Examination Council (FFIEC) members, such as the joint statement on destructive malware2 issued in March 2015.
When national banks, federal savings associations, and federal branches and agencies of foreign banking organizations (collectively, banks) apply these principles and risk mitigation techniques, they reduce the risk of a cyber attack’s success and minimize the negative impacts of a successful disruptive and destructive cyber attack. While preventive controls are important, bank management should be prepared for a worst-case scenario and maintain sufficient business continuity planning processes for the rapid recovery, resumption, and maintenance of bank operations.
Note for Community Banks
This guidance applies to all OCC-supervised banks. Community banks should test their incident response and business continuity plans and understand their responsibilities in the event of cyber attacks at their banks or involving their third-party service providers.
The joint statement issued today states that implementing and maintaining effective cybersecurity controls is critical to protecting banks from malicious activity, especially in periods of heightened risk. Sound risk management for cybersecurity includes the following:
- Response and resilience capabilities: Review, update, and test incident response and business continuity plans.
- Authentication: Protect against unauthorized access.
- System configuration: Securely configure systems and services.
The joint statement provides examples of cybersecurity and information technology risk management practices and controls important to safeguard against threats, especially from ransom and other destructive malware.
Please contact Kevin Greenfield, Deputy Comptroller for Operational Risk, at (202) 649-6550.
Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy