Federal Financial Institutions Examination Council Cybersecurity Assessment Tool Working Session in the National Institute of Standards and Technology Cybersecurity Framework Workshop

AGENCY:

Office of the Comptroller of the Currency (“OCC”), Treasury.

ACTION:

Notice of public meeting.

SUMMARY:

The OCC, on behalf of itself, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and National Credit Union Administration (Agencies), announces a public meeting to receive feedback on the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (Assessment).

DATES:

The Agencies will hold a public meeting on the Assessment on Thursday, April 7, 2016, beginning at 9:00 a.m. Eastern Daylight Time (EDT). The public meeting is a part of the National Institute of Standards and Technology (NIST) cybersecurity framework workshop, taking place on Wednesday, April 6, and Thursday, April 7, 2016. The public meeting on the Assessment will be a separate working session (Assessment working session) during the NIST workshop and will be open to any individual registered for the NIST workshop. Registrations for the NIST workshop will be accepted until March 31, 2016 11:59 p.m. EDT. There is no cost for registering for the workshop or attending the working session. Attendance at the Assessment working session will be on a first-come, first-served basis. The NIST workshop, including the Assessment working session, will be Webcast at http://www.nist.gov/itl/acd/cybersecurity-framework-workshop-2016.cfm.

ADDRESSES:

The Assessment working session will be held on April 7, 2016 at 9:00 a.m., at the NIST Campus, 100 Bureau Drive, Gaithersburg, Maryland 20899. All participants must pre-register at http://www.nist.gov/itl/acd/cybersecurity-framework-workshop-2016.cfm.

FOR FURTHER INFORMATION CONTACT:

Beth Knickerbocker, Counsel (202) 649-5490, for persons who are deaf or hard of hearing, TTY, (202) 649-5597, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219.

SUPPLEMENTARY INFORMATION:

The FFIEC, on behalf of its members, released the Assessment on June 30, 2015, to help institutions identify their cyber risk and assess their cybersecurity preparedness. The purpose of the Assessment working session is to obtain substantive input from financial institutions and other interested parties on ways to improve the Assessment.

The Agencies are holding the Assessment working session on April 7, 2016, as a part of the NIST workshop, at the NIST Campus—100 Bureau Drive, Gaithersburg, Maryland 20899. The NIST workshop, including the Assessment working session, will be Webcast online at http://www.nist.gov/itl/acd/cybersecurity-framework-workshop-2016.cfm. The in-person Assessment working session will be open to any individual registered for the NIST workshop and attendance will be on a first-come, first-served basis. There is no cost for registering for the workshop or attending the working session. The Assessment working session will provide a forum for discussion of all aspects of the Assessment and will be an opportunity for interested persons to ask questions about the Assessment. Specifically, interested parties are encouraged to provide feedback on the Assessment's inherent risk profile, cybersecurity maturity, and supplemental materials. The Agencies may limit the time available to individuals seeking to provide their input, if needed, in order to accommodate the number of people desiring to speak.

All participants in the Assessment working session must pre-register for the NIST workshop at http://www.nist.gov/itl/acd/cybersecurity-framework-workshop-2016.cfm.

Further details about the NIST workshop, including the Assessment working session, are published on the NIST Web site at http://www.nist.gov/itl/acd/cybersecurity-framework-workshop-2016.cfm. The agenda for the NIST workshop is posted at http://www.nist.gov/itl/acd/upload/Agenda_Cybersec-2.pdf.

Additional Background on Assessment

Cyber threats have evolved and increased exponentially with greater sophistication. Cyber attacks on financial institutions may not only result in access to, and the compromise of, confidential information, but also the destruction of critical data and systems. Disruption, degradation, or unauthorized alteration of information and systems can affect an institution's operations and core processes and undermine confidence in the nation's financial services sector.

The Agencies, under the auspices of the FFIEC, developed the Assessment to assist financial institutions of all sizes in assessing their inherent cyber risks and their cybersecurity preparedness. The Assessment is intended to allow a financial institution to identify its inherent cyber risk profile based on the financial institution's technologies and connection types, delivery channels, online/mobile products and technology services it offers, organizational characteristics, and current threats. Once an institution identifies its inherent cyber risk profile, it will then determine its cybersecurity maturity levels based on the institution's cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. A financial institution can use the Assessment to identify opportunities for improving the institution's cybersecurity preparedness. Use of the Assessment by financial institutions is not mandatory. Additional information on the Assessment and supporting materials are available on the FFIEC's Web site at http://www.ffiec.gov/cyberassessmenttool.htm.