The Baseline Nonbank Cybersecurity Exam Program was developed as part of the 2018 CSBS Board approved initiative to combat the growing threat of cyber-attacks in the financial system. The 2020 – 2023 CSBS Strategic Plan prioritizes state regulator implementation and use of this program. This exam program is designed as a baseline program, applicable to all nonbank institutions.
The exam program is focused on the critical parts of a cybersecurity program and was created to provide regulators a tool to examine the smaller, less complex institutions. This right sized approach benefits both the regulator and licensee by reducing the demand on regulator resources and is appropriately tailored to the needs of smaller institutions.
The exam program is by default sorted according to the Uniform Rating System for Information Technology (URSIT) component ratings of Audit, Management, Development and Acquisition, and Support and Delivery. However, to provide flexibility based on the examiner’s preference, there is also the ability to sort by the NIST Cybersecurity Framework functions of identify, protect, detect, respond, and recover. The exam program contains the Gramm-Leach-Bliley Act (GLBA) citation for each question.
Pre-Examination Documents to send to Entity
- Nonbank Cyber Exam Notification Letter
- Pre-Exam IT Officer's Questionnaire
- Pre-Exam Document Request List