Skip to main content
Nonbank Cybersecurity Exam Programs

The Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program are tools used by state examiners nationwide to assess the cyber preparedness of nonbank entities. These tools also provide institutions the ability to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners.

Pre-Examination Documents to Send to Entity

The Baseline Nonbank Exam Programs 

This information technology (IT) and cybersecurity work program was created by state regulators for examinations of nonbank institutions. The procedures provide an in-depth risk evaluation of the four critical components of the Uniform Rating System for Information Technology (URSIT) which include Audit, Management, Development and Acquisition, and Support and Delivery. URSIT was developed by the Federal Financial Institutions Examination Council (FFIEC) to evaluate the information technology function at banking institutions. The primary purpose of this rating system is to evaluate the examined institution's overall risk exposure and risk management performance and determine the degree of supervisory attention necessary to ensure that weaknesses are addressed, and risks are properly managed.

The Enhanced Nonbank Exam Program

This exam program includes the baseline procedures (noted by a light blue shading) plus additional procedures and should be used to provide a more in-depth review for larger, more complex institutions or for those where concerns are raised during the exam. The program is targeted for use by examiners with specialized knowledge of IT and cybersecurity.

Additional Resources

This program is part of a larger initiative by CSBS and state regulators to equip examiners and the industry with the necessary tools to protect the nation’s critical financial infrastructure. Below are some additional tools to aid in this effort.

1129 20th Street, N.W., 9th Floor, Washington, DC 20036 | Tel. 202.296.2840 | Fax. 202.296.1928

exit