2 minute read
Franks: Accept Cyber Tool as a Resource
Arkansas state-chartered banks should become more knowledgeable about the Cyber Assessment Tool and determine how the tool can enhance their “cyber” security protocol, Commissioner Candace Franks said. Franks strongly encourages banks “to be pro-active and expeditious in their acceptance of this helpful and timely resource as the regulators work to develop training and processes for incorporating the tool into examination programs.” “The Bank Department understands the adoption and integration of the tool will be a process,” Franks said. “Currently, during examinations, we will discuss the assessment tool with bank management and assess their familiarity with the processes identified within this new program. “As the regulatory agencies further develop their examination programs to include the Cybersecurity Assessment Tool, we will continue to monitor banks’ adoption of the tool as part of their information technology risk management.” The Cyber Assessment Tool, referred to by the Federal Financial Institutions Examination Council as the “Assessment,” was released by the Council on behalf of its members on June 30, 2015. The Assessment is designed to help institutions identify their risks and assess their cyber-security preparedness. Financial institutions of all sizes can use the Assessment and other methodologies to perform a self-assessment and develop corresponding risk-management strategies. The FFIEC members – the four federal banking regulatory agencies, the Consumer Financial Protection Bureau and the State Liaison Committee – plan to update the Assessment as threats, vulnerabilities and operational environments evolve. In addition to the Assessment, the FFIEC is providing related resources that can be accessed on the Cybersecurity Assessment Tool Web page at: http://www.ffiec.gov/cyberassessmenttool.htm “The newly released FFIEC Cybersecurity Assessment Tool will serve as a valuable asset to the industry in its efforts to address cyber-security risks within their institutions,” Franks said. The federal banking regulatory agencies have responded to the release of the assessment, as follows: Office of the Comptroller of the Currency examiners will use the Assessment to supplement examination work to gain a more complete understanding of an institution’s inherent risk, risk management practices and controls related to cyber security. The OCC will begin incorporating the Assessment into examinations in late 2015. The Federal Deposit Insurance Corporation considers use of the tool to be “voluntary.” FDIC examiners will discuss the tool with institution management during examinations to ensure awareness and assist with answers to any questions. The Federal Reserve plans to utilize the Assessment beginning in late 2015 or early 2016 as part of its examination process when evaluating the cyber-security preparedness of institutions in information technology and safety-andsoundness examinations and inspections. Use of the tool is subject to a Paperwork Act Reduction notice published in the Federal Register. In connection with the issuance of the Assessment, the Office of Management and Budget (OMB) provided a six-month approval for the collection of this information. The six-month period will end December 31, 2015. The OCC has proposed an extension of OMB approval of the collection for the standard three years. The comment period for the OCC’s extension proposal was scheduled to end on September 21, 2015. A decision by OMB on the OCC’s request likely will be made before the current six-month period ends. From the Arkansas State Bank Department “The Banker’s Advocate,” September 30, 2015. Candace Franks
