Skip to main content
Baseline Nonbank Cybersecurity Exam Workprogram

The Baseline Nonbank Cybersecurity Exam Program was developed as part of the 2018 CSBS Board approved initiative to combat the growing threat of cyber-attacks in the financial system. The 2020 – 2023 CSBS Strategic Plan prioritizes state regulator implementation and use of this program. This exam program is designed as a baseline program, applicable to all nonbank institutions. 

The exam program is focused on the critical parts of a cybersecurity program and was created to provide regulators a tool to examine the smaller, less complex institutions. This right sized approach benefits both the regulator and licensee by reducing the demand on regulator resources and is appropriately tailored to the needs of smaller institutions. 

The exam program is by default sorted according to the Uniform Rating System for Information Technology (URSIT) component ratings of Audit, Management, Development and Acquisition, and Support and Delivery. However, to provide flexibility based on the examiner’s preference, there is also the ability to sort by the NIST Cybersecurity Framework functions of identify, protect, detect, respond, and recover. The exam program contains the Gramm-Leach-Bliley Act (GLBA) citation for each question. 

Pre-Examination Documents to send to Entity

Exam Program 


This block is broken or missing. You may be missing content or you might need to enable the original module.

1129 20th Street, N.W., 9th Floor, Washington, DC 20036 | Tel. 202.296.2840 | Fax. 202.296.1928