Financial Services Security Professionals Need to Get Ready for Changes in OCC Audits.
As the financial sector continues to face increasing cyber threats, a critical shift is coming in how the Office of the Comptroller of the Currency (OCC) and other regulators assess financial institutions' cybersecurity programs. The recent announcement from the Federal Financial Institutions Examination Council (FFIEC) reveals that the Cybersecurity Assessment Tool (CAT), widely used by banks to gauge their cybersecurity readiness, will be sunsetted by August 31, 2025. This change means security professionals must now adapt to new frameworks and guidance that will become integral to future regulatory audits.
(read source here: https://www.ffiec.gov/press/pdf/CAT_Sunset_Statement_FFIEC_Letterhead.pdf.
Key points to note:
1. Transition to New Standards: With CAT no longer being updated, the OCC will expect financial institutions to refer to more current resources such as the NIST Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals, including sector-specific guidelines tailored for financial institutions.
2. New Tools and Approaches: Organizations are encouraged to use industry-developed resources like the Cyber Risk Institute’s Cyber Profile and the Center for Internet Security’s Critical Security Controls. These tools offer robust alternatives that align with evolving cyber risks and regulatory expectations.
3. Risk-Focused Examinations: The OCC will continue its risk-focused approach, meaning that examiners may address areas not fully covered by these standardized tools. This emphasizes the need for institutions to maintain a flexible and proactive cybersecurity strategy. This means it is important to design a process that is robust and integrated across your technology, risk & controls, business unit organizations
4. Webinars and Further Guidance: The FFIEC has also announced plans for upcoming webinars to help banks navigate these changes, reinforcing the importance of staying up-to-date with emerging regulatory expectations.
Given this transition, security executives in the financial services sector need to review their cybersecurity frameworks to ensure they are in line with the latest government and industry regulations. It is crucial to adapt promptly in order to uphold regulatory requirements and protect against emerging cyber risks.
If your organization wants to stay ahead of the regulators and build out a program of risk identification and remediation that actually saves the business money then reach out to Necessary Security LLC. We have built programs that have been audited by regulators globally with successful results.
Comments