OCC Outlines Supervisory Priorities; FFIEC Updates Cybersecurity Guide

FFIEC amended the October 2018 Cybersecurity Resource Guide for financial institutions to update certain references and include ransomware-specific resources to address the ongoing threat of ransomware incidents. The guide is aimed to help financial institutions meet their security control objectives and prepare to respond to cyber incidents. In another development, OCC recently released the "Bank Supervision Operating Plan," which facilitates the implementation of supervisory strategies for individual national banks, federal savings associations, federal branches, and agencies of foreign banking organizations as well as identified third-party services subject to OCC examination. The plan outlines supervisory priorities for 2023 (October 01, 2022 to September 30, 2023) and aligns with OCC's Strategic Plan, Fiscal Years 2023–2027 and the National Risk Committee’s (NRC) priorities. In addition to the baseline activities, OCC risk-based supervision will heighten its focus on the following areas:

• The potential impact to operational risk from cybersecurity threats, control breakdowns, and risk management gaps remains a supervisory focus. Operational resilience examinations should consider incident response and business resumption practices, with explicit evaluation of data backup and recovery capabilities. Information and cybersecurity examinations should focus on fundamental controls to identify, detect, and prevent threats and vulnerabilities; such controls include authentication, access controls segmentation, patch management, and end-of-life programs. Examiners should review the effectiveness of governance processes dealing with technology investment and the implementation of systems and infrastructure changes.
• Examiners should determine whether banks are providing proper risk management governance of their third-party relationships and should identify the risk attributes of these relationships, for example, if they involve customer-facing products and services, are critical to bank operations, represent significant concentrations, affect the bank’s operational resilience, or affect compliance with requirements such as the Bank Secrecy Act and consumer protection laws. Additionally, examiners should determine whether the bank and third parties have sufficient, qualified staff to meet contractual obligations. Examiners should be aware of the cyber-related risks arising from third parties and evaluate the bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities.
• Examiners should assess whether banks remain vigilant when considering growth and new profit opportunities. Examiners should assess bank management’s and the board’s understanding of the impact of innovative or new activities, including activities offered through third-party relationships, on the bank’s financial performance, strategic planning process, and risk profile. Such activities could potential involve areas such as payments, fintech, and digital assets.
• OCC will continue to work to better understand climate-related financial risks, particularly as they relate to risks at large banks. During 2023, the agency will continue information gathering efforts and plan on conducting additional industry outreach. At the largest banks, examiners will monitor the development of climate-related financial risk frameworks and will engage with bank management to understand the challenges that banks face in this effort, such as data and metrics, governance and oversight, policies, procedures, and limits, strategic planning, scenario analysis capabilities and techniques, and incorporation of the frameworks into current bank risk management processes.
• Other focus areas include credit risk management, allowances for credit losses, interest rate risk, liquidity risk management, consumer compliance, Bank Secrecy Act, fair lending, and Community Reinvestment Act

Related Links

• Supervisory Plan for 2023
• Statement from Michael J. Hsu
• Launch of Office of Financial Technology
• FDIC on Cybersecurity Resource Guide
• FFIEC Cybersecurity Resource Guide (PDF)

Keywords: Americas, US, Banking, Regtech, Interest Rate Risk, Credit Risk, Liquidity Risk, Fintech, Digital Assets, Operational Resilience, Cyber Risk, Third Party Arrangements, Climate Change Risk, Scenario Analysis, Basel, FDIC, FFIEC, OCC