Cyber & IT Supervisory Forum - November 2023

Internal Use Only

Uniform Rating System for Information Technology (URSIT) November 6, 2023

1

Internal Use Only

Background Mission:

• The thinking group has been established to come up with possible options for whether and how to update URSIT, based upon its analysis and feedback from ITS members. ITS members will use the group’s work to make a recommendation to TFOS on possible options pertaining to URSIT. Components: • Evaluate the URSIT components Audit, Management, Development and Acquisition, Support and Delivery Approach to Evaluation: • Initial survey of FBA examiners regarding challenges/usefulness of URSIT: • Examiners view URSIT as a valuable supervision tool (particularly for smaller banks) • Examiners agree that there are opportunities to align, improve, and modernize • Example: Audit and D&A components have minimal impact on the URSIT Composite rating • Example: Challenging to distinguish BCM/operational resilience risk/information security in the crowded S&D component • Selected and reviewed current guidance, principles, and expectations in the IT risk management field including (but not limited to) NIST, BCBS, GLBA, IT Handbooks, as well as InTREX

2