IriusRisk Team
The Threat Modeling Experts
May 9, 2024

Enhancing US Financial Security: Understanding OCC and FFIEC Regulations

Guidance for Financial Services 

Risk Assessment activities, improvements, and processes are imperative to the functioning of any financial organization. Any regulated financial services firm in the US has security requirements from at least one regulator and constant pressure from ever-present cyber attacks. In this blog we look at two key organizations that provide guidance and form the method in which financial services firms are measured for cybersecurity amongst other normal business processes. These are The Office of the Comptroller of the Currency (OCC) and The Federal Financial Institutions Examination Council (FFIEC).

What is the OCC? 

The OCC is an independent bureau of the U.S. Department of the Treasury. The OCC charters, regulates, and supervises all national banks, federal savings associations, and federal branches and agencies of foreign banks.1 It enforces safe practices within national banks and federal savings associations, and therefore, many organizations in this industry use the OCC Comptroller's Handbook, as a basis for their cybersecurity efforts, strategies, and best practices. 

What is the FFIEC? 

The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. 

The OCC also recommends using its Handbook in conjunction with other handbooks or manuals such as the FFIEC Information Technology Examination Handbook2 and the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual3.

The Federal Financial Institutions Examination Council (FFIEC) is responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the non-financial institution subsidiaries of those institutions and holding companies.4 The descriptions used within the manual are talking about various risk management activities, of which threat modeling is a logical step to achieve many of the listed requirements and outcomes. 

Get an idea of what the FFIEC structure spans in their organization chart here

What is threat modeling and how does it help?

The descriptions used within the manual are talking about various risk management activities, of which threat modeling is a logical step to achieve many of the listed requirements and outcomes.

It is highly likely that you are already implementing multiple risk management activities, to adhere to the requirements stated by official bodies. However, there are other techniques you may perhaps be less aware of, that can support you with securing your risk posture, while also demonstrating that you are following the handbooks and manuals.

One such technique is automated threat modeling. Which can aid you in directly implementing what is required, here is just one example from the OCC Handbook, Information Technology, Objective 5, Procedure 1, page 129; A report or diagram that illustrates computer systems and networks, application and software deployment, vendor and external connectivity, and data flows, including primary data repositories. This requirement can be met with threat modeling, when you create an architecture diagram within IriusRisk, you can map out an entire system, its associated networks, components, trust boundaries, dataflows, and more. Once you update the diagram, you have a live threat model with all associated risks, with levels of priority, and even countermeasures which allow you to remediate the security issues. 

The FFIEC Cyber Assessment Tool (CAT) has similar elements that are applicable, here is just one example; Source: IS.II: page 6: Management should develop and implement an information security program that does the following: Supports the institution’s IT risk management (ITRM) process by identifying threats, measuring risk, defining information security requirements, and

implementing controls. IriusRisk identifies the level of risk, gives you the necessary countermeasures (security controls), and allows you to act upon them, mark them as implemented, all with full integration into other systems to manage and mitigate. Integrations include testing frameworks, security tools, and issue trackers with two-way synchronization. 

What are the benefits of threat modeling?

There are many positives from choosing to threat model, depending on use case, industry and processes, however some common benefits for financial organizations can include: 

  1. The process of threat modeling may cover compliance and audit requirements for the items that are threat modeled. 
  2. Identifying threats and fixing them up front is more cost-effective and introduces less risk to the production environment.
  3. ROI measured by reduction in rework, potentially less risk via reduction in known threats, reusable content created with each threat model reduces.
  4. A consistent and version-controlled representation of architecture tagged with risk score, traceable by JIRA tickets, and reported into any format you need for risk and control activities.

What next?

We appreciate that the requirements set for the Financial Services Risk & Controls functions, as well as Security Teams, is a full time and continuous commitment. Threat modeling can help accelerate and improve existing processes, add additional security, and give you a full audit trail. Take a look at our Financial Services Page for more information, or get in touch with our helpful team.