FFIEC Cybersecurity Assessment Tool

OMB 1557-0328

OMB 1557-0328

The Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve, and the National Credit Union Administration (together, the "agencies"), under the auspices of the Federal Financial Institutions Examination Council ("FFIEC"), have accelerated efforts to assess and enhance the state of the financial industry's cyber preparedness, and to close gaps in the agencies' examination procedures and training that can strengthen the oversight of financial industry cybersecurity readiness. The agencies also have focused on improving their abilities to provide financial institutions with resources that can assist in protecting institutions and their customers from the growing risk posed by cyber attacks. As part of these increased efforts, the agencies developed a Cybersecurity Assessment Tool ("Assessment") that assists financial institutions of all sizes in assessing their inherent cybersecurity risk and their risk management capabilities. The Assessment allows a financial institution to identify its inherent cyber risk profile based on the financial institution's technologies and connection types, delivery channels, online/mobile products and technology services it offers, organizational characteristics, and threats it is likely to face. Once an institution identifies its inherent risk, it can evaluate its level of cybersecurity preparedness based on the institution's cyber risk management and oversight, threat intelligence capabilities, cybersecurity controls, external dependency management, and cyber incident management and resiliency planning using the Assessment's maturity matrix. A financial institution can use the maturity levels to identify opportunities for improving the institution's cybersecurity, based on its inherent risk profile. The Assessment also enables financial institutions to identify areas more rapidly that could improve their cybersecurity risk management and response programs, if needed. In response to requests from financial institutions, this nonmaterial change provides an update to the Assessment that expands the response options for each declarative statement. With the additional response option, financial institutions’ management may include supplementary or complementary behaviors, practices, and processes that represent current practices of the institution in assessing declarative statements. This change will not result in any change in burden.

The latest form for FFIEC Cybersecurity Assessment Tool expires 2022-08-31 and can be found here.


© 2024 OMB.report | Privacy Policy