The Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program are tools used by state examiners nationwide to assess the cyber preparedness of nonbank entities. These tools also provide institutions the ability to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The Baseline Nonbank Cybersecurity Exam Program Version 1.1 was released on March 21, 2023, and the Enhanced Nonbank Cybersecurity Exam Program was released on May 9, 2022.
Pre-Examination Documents to Send to Entity
The Baseline Nonbank Exam Programs
This information technology (IT) and cybersecurity work program was created by state regulators for examinations of nonbank institutions. The procedures provide an in-depth risk evaluation of the four critical components of the Uniform Rating System for Information Technology (URSIT) which include Audit, Management, Development and Acquisition, and Support and Delivery. URSIT was developed by the Federal Financial Institutions Examination Council (FFIEC) to evaluate the information technology function at banking institutions. The primary purpose of this rating system is to evaluate the examined institution's overall risk exposure and risk management performance and determine the degree of supervisory attention necessary to ensure that weaknesses are addressed, and risks are properly managed.
The Enhanced Nonbank Exam Program
This exam program includes the baseline procedures (noted by a light blue shading) plus additional procedures and should be used to provide a more in-depth review for larger, more complex institutions or for those where concerns are raised during the exam. The program is targeted for use by examiners with specialized knowledge of IT and cybersecurity.
This program is part of a larger initiative by CSBS and state regulators to equip examiners and the industry with the necessary tools to protect the nation’s critical financial infrastructure. Below are some additional tools to aid in this effort.