The Office of the Comptroller of the
Currency, the Federal Deposit Insurance Corporation, the Board of
Governors of the Federal Reserve, and the National Credit Union
Administration (together, the "agencies"), under the auspices of
the Federal Financial Institutions Examination Council ("FFIEC"),
have accelerated efforts to assess and enhance the state of the
financial industry's cyber preparedness, and to close gaps in the
agencies' examination procedures and training that can strengthen
the oversight of financial industry cybersecurity readiness. The
agencies also have focused on improving their abilities to provide
financial institutions with resources that can assist in protecting
institutions and their customers from the growing risk posed by
cyber attacks. As part of these increased efforts, the agencies
developed a Cybersecurity Assessment Tool ("Assessment") that
assists financial institutions of all sizes in assessing their
inherent cybersecurity risk and their risk management capabilities.
The Assessment allows a financial institution to identify its
inherent cyber risk profile based on the financial institution's
technologies and connection types, delivery channels, online/mobile
products and technology services it offers, organizational
characteristics, and threats it is likely to face. Once an
institution identifies its inherent risk, it can evaluate its level
of cybersecurity preparedness based on the institution's cyber risk
management and oversight, threat intelligence capabilities,
cybersecurity controls, external dependency management, and cyber
incident management and resiliency planning using the Assessment's
maturity matrix. A financial institution can use the maturity
levels to identify opportunities for improving the institution's
cybersecurity, based on its inherent risk profile. The Assessment
also enables financial institutions to identify areas more rapidly
that could improve their cybersecurity risk management and response
programs, if needed. In response to requests from financial
institutions, this nonmaterial change provides an update to the
Assessment that expands the response options for each declarative
statement. With the additional response option, financial
institutions’ management may include supplementary or complementary
behaviors, practices, and processes that represent current
practices of the institution in assessing declarative statements.
This change will not result in any change in burden.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
1557-0328 CAT Supporting Statement 7-15-19.doc
FFIEC Cybersecurity Assessment Tool