An official website of the United States government
Parts of this site may be down for maintenance from Thursday, December 19, 9:00 p.m. Sunday, December 22, 9:00 a.m. (Eastern).
OCC Bulletin 2023-22 | June 26, 2023
Share This Page:
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Office of the Comptroller of the Currency (OCC) recently developed and distributed the Cybersecurity Supervision Work Program for use by examiners. As cyberattacks evolve and as banks1 adopt various standardized tools and frameworks to assess cybersecurity preparedness, the OCC recognized the need to update its approach to cybersecurity assessment as part of the agency’s bank supervision. The Cybersecurity Supervision Work Program (CSW) provides high-level examination objectives and procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. The CSW Overview page on www.occ.gov links to the CSW References page, which provides cross-references that map the CSW procedures to existing supervisory guidance and industry cybersecurity frameworks. For example, cross-references include the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the Center for Internet Security’s Critical Security Controls, and the Cyber Risk Institute’s Profile.
The CSW does not establish new regulatory expectations, and banks are not required to use this work program to assess cybersecurity preparedness. The OCC continues to encourage but does not require use of standardized approaches to assess and improve cybersecurity preparedness, and banks may choose from a variety of tools and frameworks available.2 The CSW does not change the availability of banks’ optional use of the FFIEC Cybersecurity Assessment Tool or other cybersecurity frameworks.
Examiners may use the CSW’s examination procedures during examinations of a community bank’s cybersecurity preparedness.
The CSW
Please contact Norine Richards, Director of Bank Information Technology Policy at (202) 649-6550.
Grovetta N. Gardineer Senior Deputy Comptroller for Bank Supervision Policy
1 “Banks” refers collectively to national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations.
2 Refer to Federal Financial Institution Examination Council press release titled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness,” August 28, 2019.