OCC Cybersecurity and Financial System Resilience Report 2025: Complete Analysis

Understanding the OCC’s Cybersecurity Supervisory Framework

The OCC’s approach to cybersecurity supervision has undergone significant modernization in recent years, reflecting both the evolving threat landscape and the need for more standardized assessment methodologies. At the center of this modernization is the Cybersecurity Supervision Work Program (CSW), released in 2023 and aligned with the NIST Cybersecurity Framework (CSF). The CSW provides OCC examiners with a structured methodology for evaluating banks’ cybersecurity programs, cross-referencing industry standards and the FFIEC IT Examination Handbook.

A significant regulatory change highlighted in the report is the sunsetting of the FFIEC Cybersecurity Assessment Tool (CAT), scheduled for removal from the FFIEC website on August 31, 2025. The CAT had served as a widely used self-assessment tool for banks, but its replacement by more modern frameworks like the CSW reflects the need for assessment approaches that can keep pace with rapidly evolving threats. Banks that have relied on the CAT for their cybersecurity self-assessments must now transition to alternative frameworks.

The OCC’s organizational restructuring in June 2025, which combined Midsize and Community Bank Supervision with Large Bank Supervision into a single Bank Supervision and Examination (BSE) line of business, also has implications for cybersecurity oversight. This consolidation is designed to create more consistent supervisory approaches across institutions of all sizes, ensuring that cybersecurity expectations are uniformly applied whether a bank holds $500 million or $500 billion in assets. For a broader view of how cybersecurity supervision fits within the federal regulatory landscape, see our analysis of cybersecurity resilience frameworks.

The report emphasizes that the OCC encourages but does not require banks to use a standardized cybersecurity assessment approach. However, the practical reality is that OCC examiners use the CSW as their evaluation framework, making alignment with its requirements essential for banks seeking favorable examination outcomes. The approximately 2,355 bank examiners conducting full-scope examinations every 12 to 18 months represent a substantial supervisory workforce focused on identifying and addressing cybersecurity deficiencies.

The OCC’s Own Major Cybersecurity Incident

Perhaps the most striking element of the 2025 report is the OCC’s transparent disclosure of its own significant cybersecurity incident. On February 12, 2025, the OCC confirmed unauthorized access to a service account in its cloud-based office automation environment. The compromised account was disabled the same day and reported to the Cybersecurity and Infrastructure Security Agency (CISA). Public notification followed on February 26, 2025.

After further investigation conducted in coordination with the Treasury Department, the incident was classified as a “major incident” under OMB Memorandum M-25-04, with Congress notified on April 8, 2025. An independent assessment conducted in March 2024 had confirmed no advanced persistent threat in the OCC’s on-premise IT environment, and the post-incident investigation confirmed no lateral movement from the cloud environment to on-premise systems — a critical finding that limited the scope of potential compromise.

The OCC’s response to the incident provides a model for the transparent and rapid incident management it expects from the banks it supervises. Technical indicators of compromise were shared through multiple channels including Treasury OCCIP circulars, the Project Fortress threat feed, and the Financial Services Information Sharing and Analysis Center (FS-ISAC). The OCC subsequently hardened its office automation environment and continues to implement additional security measures.

This self-disclosure carries significant implications for the OCC’s credibility as a cybersecurity regulator. By openly acknowledging its own vulnerability and documenting its response, the OCC demonstrates that cyber risk is universal — affecting even the organizations responsible for overseeing cybersecurity in the financial sector. It also underscores the importance of the 36-hour incident notification rule that applies to banks under OCC supervision, showing that the agency holds itself to similar standards of transparency.

Escalating Cyber Threats to the Financial System

The report identifies eight categories of current and emerging threats that define the OCC cybersecurity financial resilience landscape for 2025 and beyond. Each threat category has distinct characteristics and requires specific mitigation strategies, making a comprehensive understanding essential for effective risk management.

Ransomware continues to top the threat list, with increasing frequency and severity driven by the ransomware-as-a-service model that enables less sophisticated attackers to deploy advanced ransomware variants. Financial institutions of all sizes are targets, and the report notes that ransomware campaigns increasingly involve data exfiltration before encryption, creating dual extortion scenarios where institutions face both operational disruption and data exposure threats.

Supply chain attacks represent what the report characterizes as the Achilles’ heel of the banking system. The concentration of critical services in a small number of technology providers creates systemic risk that extends beyond individual institutions. Recent high-profile incidents involving widely used IT systems that compromised thousands of customers underscore the difficulty of managing risk that originates outside an institution’s direct control. For insights into how organizations are addressing third-party technology risks, our guide on cloud migration best practices explores vendor risk management strategies.

Artificial intelligence presents a dual-use challenge that the OCC identifies as requiring careful supervisory attention. While AI can strengthen risk management, enhance fraud detection, and expand access to financial services, attackers are weaponizing AI for deepfake voice cloning, advanced phishing campaigns, and automated malware development. The report suggests that AI may accelerate the pace at which threat actors can develop and deploy new attack techniques, potentially outstripping the financial sector’s ability to adapt its defenses.

Additional threats identified include distributed denial-of-service (DDoS) attacks targeting financial sector infrastructure, increasingly sophisticated account takeover techniques that exploit phishing and stolen credentials, geopolitical tensions driving state-sponsored threat activity, post-quantum cryptography risks that could eventually render current encryption obsolete, and digital asset vulnerabilities as banks expand into cryptocurrency-related activities.

Third-Party Risk Management Requirements and Guidance

Third-party risk management emerges as a dominant theme throughout the OCC’s report, reflecting the growing recognition that banks’ cybersecurity posture is only as strong as their weakest vendor. The increasing reliance on external technology providers — particularly among community banks that may lack the resources for in-house technology development — creates concentration risks that can have systemic implications.

The regulatory framework for third-party risk management has been significantly strengthened through a series of interagency guidance documents. The June 2023 interagency guidance on third-party risk management, issued jointly by the OCC, FDIC, and Federal Reserve Board, established comprehensive expectations for how banks should identify, assess, monitor, and manage risks associated with third-party relationships. A supplementary guide specifically for community banks followed in May 2024, recognizing the unique challenges faced by smaller institutions.

The OCC’s third-party examination program represents a significant supervisory tool. Service provider examinations are typically conducted jointly by the OCC, FDIC, and Federal Reserve Board, creating a coordinated approach to assessing the security and resilience of technology providers that serve multiple banking institutions. These examinations evaluate providers’ security controls, incident response capabilities, business continuity planning, and the effectiveness of their own third-party risk management programs.

The computer-security incident notification rule adds regulatory teeth to third-party risk management. Banks must notify their primary federal regulator within 36 hours of determining that a notification incident has occurred, while bank service providers must notify affected banks as soon as possible when a material disruption occurs lasting 4 or more hours. These requirements create a structured framework for rapid information sharing that enables coordinated response to incidents that may affect multiple institutions simultaneously.

Cloud computing adoption adds another dimension to third-party risk. The Treasury Department’s report on the financial services sector’s adoption of cloud services identified specific security and resilience risks, leading to the creation of the Cloud Executive Steering Group (CESG) as a public-private partnership in May 2023. The publication of the U.S. Treasury Shared Cloud Lexicon and Terminology in July 2024 reflects efforts to establish common language and understanding around cloud-specific risks in financial services.

OCC Cybersecurity Financial Resilience Requirements for Banks

The report outlines specific cybersecurity and operational resilience expectations that banks must meet to satisfy OCC supervisory requirements. These expectations have been intensified in the FY2025 Bank Supervision Operating Plan, which designates operational resilience and cybersecurity as the top supervisory priority.

Banks are expected to implement heightened threat and vulnerability monitoring processes that go beyond traditional perimeter defense. This includes active engagement with threat intelligence sharing organizations such as FS-ISAC and CISA, participation in industry exercises and tabletop scenarios, and continuous monitoring of both internal systems and external threat indicators. The goal is a proactive security posture that identifies and responds to threats before they can cause material damage.

Multifactor authentication is expected across all systems, reflecting the OCC’s recognition that credential-based attacks — including phishing, business email compromise, and account takeover — represent some of the most common and effective attack vectors. The report emphasizes that MFA implementation must be comprehensive, covering not just customer-facing systems but also administrative access, remote access, and third-party connections.

System hardening and timely patch management are highlighted as fundamental requirements. The OCC has identified supervisory concerns related to banks operating end-of-life systems that no longer receive security updates, maintaining outdated configurations that create known vulnerabilities, and delaying patch deployment for critical security updates. The report explicitly states that prolonged use of legacy systems introduces security vulnerabilities, maintenance challenges, and reduced operational resilience. Organizations assessing their security posture should also review our analysis of the zero trust architecture framework, which the OCC references as a key security model.

Incident response planning receives particular emphasis, with the OCC expecting banks to maintain regularly tested and updated plans that specifically address ransomware scenarios, DDoS attacks, supply chain compromises, and insider threats. The OCC also recommends that banks consider implementing Sheltered Harbor or equivalent data vaulting solutions for backup and restoration practices, providing an additional layer of resilience against destructive attacks.

Regulatory Modernization and Emerging Technology Guidance

The OCC’s regulatory approach is actively evolving to address emerging technologies and their associated risks. Several significant regulatory developments highlighted in the report will shape the cybersecurity landscape for financial institutions in 2025 and beyond.

Crypto-asset activities received important regulatory clarification through two interpretive letters. Interpretive Letter 1183, issued on March 7, 2025, reaffirmed the permissibility of certain crypto-asset activities and eliminated the supervisory nonobjection process that had previously created regulatory uncertainty. Interpretive Letter 1184, issued on May 7, 2025, confirmed that banks may buy and sell crypto-assets held in custody on behalf of customers and may use sub-custodians for crypto-asset custody services. These letters provide clearer regulatory pathways while maintaining expectations for robust cybersecurity controls around digital asset activities.

The post-quantum cryptography threat, while not imminent, receives attention as a forward-looking risk that banks should begin preparing for. The report notes that quantum computing could eventually render current encryption methods ineffective, and banks should monitor developments in quantum-resistant cryptographic standards and begin planning the infrastructure investments that will be necessary for cryptographic transitions. The National Institute of Standards and Technology’s ongoing work on post-quantum cryptographic standards provides the reference framework for these preparations.

Artificial intelligence governance is an emerging area where the OCC is developing supervisory approaches. The report acknowledges AI’s potential benefits for risk management and customer service while highlighting the need for appropriate controls around AI deployment. Banks using AI for credit decisions, fraud detection, or customer interactions must ensure that their AI systems are subject to appropriate validation, bias testing, and ongoing monitoring.

Community Bank Cybersecurity Challenges and Resources

The report pays particular attention to the cybersecurity challenges facing community banks, which comprise the majority of OCC-supervised institutions. With 727 of the 1,040 supervised banks holding less than $1 billion in assets, community institutions represent a critical segment of the banking system that often faces disproportionate cybersecurity challenges relative to their resources.

Community banks typically benefit from third-party relationships that provide access to technology capabilities they could not develop independently. However, these relationships also reduce direct operational control and may introduce risks that community banks are less equipped to assess and manage. The May 2024 interagency guide specifically targeting community banks on third-party risk management acknowledges this tension and provides scaled guidance appropriate for smaller institutions.

The OCC’s Digitalization page on occ.gov provides additional resources specifically designed for community banks navigating digital transformation. These resources cover topics including cloud adoption considerations, mobile banking security, digital identity verification, and the evaluation of fintech partnerships. The 2021 interagency guide on fintech partnerships also provides relevant due diligence frameworks for community banks considering relationships with technology companies.

Resource constraints create a particular challenge for community bank cybersecurity. While larger institutions can maintain dedicated security operations centers, employ specialized cybersecurity staff, and invest in advanced security technologies, community banks must often rely on shared services, outsourced security monitoring, and general-purpose IT staff who handle cybersecurity alongside other responsibilities. This reality makes the quality and security of third-party relationships even more critical for smaller institutions.

Interagency Coordination and Information Sharing Frameworks

The report emphasizes that effective cybersecurity in the financial sector requires coordination among multiple federal agencies, international regulators, and private sector stakeholders. The OCC participates in an extensive network of coordination bodies that collectively provide the intelligence, standards, and collaborative frameworks necessary for addressing systemic cyber risks.

The Financial and Banking Information Infrastructure Committee (FBIIC), comprising 18 federal and state agencies, provides classified threat briefings that inform supervisory priorities and enable coordinated responses to major cyber incidents. The Financial Services Information Sharing and Analysis Center (FS-ISAC) facilitates real-time threat intelligence sharing between financial institutions and government agencies, providing the early warning capabilities that enable proactive defense.

International coordination through the Basel Committee on Banking Supervision (BCBS), which includes 45 members across 28 jurisdictions, ensures that cybersecurity standards and supervisory approaches maintain consistency across borders. The Financial Stability Board (FSB) provides an additional forum for addressing systemic risks to the global financial system, including cyber risks that transcend national boundaries. For organizations evaluating their cybersecurity readiness against international benchmarks, understanding these coordination frameworks is essential.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) implementation represents a significant expansion of incident reporting requirements that will affect financial institutions. While the banking sector already operates under the 36-hour notification rule, CIRCIA’s broader requirements for critical infrastructure sectors will create additional reporting obligations and information sharing mechanisms that strengthen the overall cyber defense posture of the financial sector.

Preparing for the Future of OCC Cybersecurity Financial Resilience

The 2025 OCC cybersecurity report makes clear that the pace of change in both threats and technology will continue to accelerate, requiring banks to adopt more agile and forward-looking approaches to cybersecurity risk management. Several strategic imperatives emerge from the report’s analysis that should inform institutional planning for the coming years.

First, banks must treat cybersecurity as a board-level strategic priority rather than a technical function. The OCC’s elevation of cybersecurity to its top supervisory priority signals that examination outcomes will increasingly depend on demonstrated executive engagement with cyber risk. Boards should receive regular, detailed briefings on threat intelligence, security metrics, and incident response readiness, and should be actively involved in approving cybersecurity strategies and investment decisions.

Second, the convergence of AI, cloud computing, and digital assets is creating new attack surfaces that require integrated security approaches. Banks cannot effectively manage cybersecurity risk by treating each technology domain independently. Instead, they need comprehensive security architectures that address the interconnections between cloud infrastructure, AI systems, digital asset platforms, and traditional banking systems.

Third, preparation for post-quantum cryptography should begin now, even though the threat is not imminent. Cryptographic transitions are complex, multi-year undertakings that require thorough inventory of current cryptographic implementations, assessment of quantum-vulnerable systems, evaluation of quantum-resistant alternatives, and phased migration planning. Banks that begin this process early will be better positioned to manage the transition without disruption.

Finally, the human element remains critical. The report’s emphasis on account takeover, phishing, and social engineering underscores that technology alone cannot solve the cybersecurity challenge. Banks must invest in ongoing security awareness training, cultivate a security-conscious culture at all organizational levels, and ensure that their incident response capabilities include the human judgment and decision-making skills that automated systems cannot replace.

Access the Full Interactive OCC Analysis