OCC Bulletin 2020-5| January 16, 2020

Cybersecurity: Joint Statement on Heightened Cybersecurity Risk

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) today issued a joint statement on heightened cybersecurity risk to remind supervised financial institutions of sound cybersecurity risk management principles. These principles elaborate on standards in the Interagency Guidelines Establishing Information Security Standards1 and in resources provided by the Federal Financial Institutions Examination Council (FFIEC) members, such as the joint statement on destructive malware2 issued in March 2015.

When national banks, federal savings associations, and federal branches and agencies of foreign banking organizations (collectively, banks) apply these principles and risk mitigation techniques, they reduce the risk of a cyber attack’s success and minimize the negative impacts of a successful disruptive and destructive cyber attack. While preventive controls are important, bank management should be prepared for a worst-case scenario and maintain sufficient business continuity planning processes for the rapid recovery, resumption, and maintenance of bank operations.

Note for Community Banks

This guidance applies to all OCC-supervised banks. Community banks should test their incident response and business continuity plans and understand their responsibilities in the event of cyber attacks at their banks or involving their third-party service providers.

Highlights

The joint statement issued today states that implementing and maintaining effective cybersecurity controls is critical to protecting banks from malicious activity, especially in periods of heightened risk. Sound risk management for cybersecurity includes the following:

  • Response and resilience capabilities: Review, update, and test incident response and business continuity plans.
  • Authentication: Protect against unauthorized access.
  • System configuration: Securely configure systems and services.

The joint statement provides examples of cybersecurity and information technology risk management practices and controls important to safeguard against threats, especially from ransom and other destructive malware.

Further Information

Please contact Kevin Greenfield, Deputy Comptroller for Operational Risk, at (202) 649-6550.

 

Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy

Related Link

1 Refer to 12 CFR 30, appendix B (OCC), and 12 CFR 364, appendix B (FDIC).

2 Refer to OCC Bulletin 2015-20, "Cybersecurity: Destructive Malware Joint Statement."