Cybersecurity Audit in US Financial Services and Banking

Cybersecurity audits in US financial services and banking operate within one of the most densely regulated compliance environments in the American economy, governed by overlapping federal mandates, examination authorities, and sector-specific frameworks. This page describes the scope of cybersecurity audit activity in the banking and financial services sector, the mechanisms and phases through which audits are conducted, the scenarios that trigger formal review, and the boundaries that distinguish one audit type from another. Professionals navigating vendor providers and service categories will find this reference useful for contextualizing the regulatory demand driving audit engagements.

Definition and scope

A cybersecurity audit in financial services is a structured, evidence-based examination of an institution's information security controls, policies, infrastructure, and risk posture against a defined standard or regulatory requirement. The scope is bounded by the institution's asset inventory, the regulatory frameworks applicable to its charter type and data holdings, and the examination objectives set by the engaging authority — whether an internal audit function, an external third-party firm, or a federal or state regulator.

The principal regulatory authorities governing cybersecurity audit requirements in US banking include:

• The Federal Financial Institutions Examination Council (FFIEC), which publishes the FFIEC Cybersecurity Assessment Tool (CAT) — a voluntary but widely adopted framework mapping inherent risk to cybersecurity maturity across five domains.
• The Office of the Comptroller of the Currency (OCC), which examines national banks and federal savings associations under 12 C.F.R. Part 30, Appendix B (Interagency Guidelines Establishing Information Security Standards).
• The Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC), which apply equivalent standards to state-chartered member banks and insured non-member institutions respectively.
• The New York Department of Financial Services (NYDFS), whose 23 NYCRR Part 500 imposes mandatory cybersecurity program requirements, including annual penetration testing and biannual vulnerability assessments, on covered financial entities operating in New York.
• The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, enforced by the Federal Trade Commission (FTC) and updated in 2023 (16 C.F.R. Part 314), requiring financial institutions to implement, test, and audit an information security program.

The scope of a cybersecurity audit engagement in this sector typically includes identity and access management, network security architecture, encryption and data protection controls, incident response readiness, third-party vendor risk, and business continuity planning.

How it works

A cybersecurity audit in financial services proceeds through defined phases that mirror the internal audit lifecycle while incorporating the evidence standards required for regulatory examination. The structure below reflects common practice aligned with NIST SP 800-53 Rev. 5 control assessment methodology and FFIEC examination procedures.

1. Scoping and pre-audit planning — The audit team defines the systems, processes, and regulatory frameworks in scope. An institution's FFIEC CAT baseline risk profile typically informs scope prioritization.
2. Control inventory and documentation review — Auditors collect written policies, procedure documentation, configuration baselines, and prior examination findings. Gaps between documented controls and operational practice are flagged at this stage.
3. Technical testing — This phase includes penetration testing (required annually under 23 NYCRR Part 500 for NYDFS-covered entities), vulnerability scanning, and configuration audits of firewalls, endpoint protection systems, and access control infrastructure.
4. Interview and process walkthrough — IT security, operations, and executive personnel provide evidence of control execution. Segregation of duties and change management processes receive particular scrutiny in banking environments.
5. Evidence analysis and control mapping — Findings are mapped against the applicable standard (NIST CSF, FFIEC CAT, ISO/IEC 27001, or a regulatory examination manual). Each control is rated for design adequacy and operating effectiveness.
6. Findings report and remediation tracking — A formal report documents deficiencies, assigns risk ratings, and establishes remediation timelines. Repeat findings from prior examinations carry elevated risk ratings under OCC and FDIC examination practice.

The describes how cybersecurity audit service providers are classified across these functional phases.

Common scenarios

Financial institutions encounter cybersecurity audit activity across four primary scenarios:

Regulatory examination — Federal and state banking examiners conduct cybersecurity reviews as part of scheduled safety-and-soundness examinations or targeted IT examinations. OCC-supervised national banks receive IT examinations on cycles tied to their CAMELS composite rating.

Third-party vendor audit — GLBA and FFIEC guidance require financial institutions to audit critical third-party service providers. A bank processing card transactions through a vendor subject to PCI DSS (Payment Card Industry Data Security Standard, v4.0) must validate vendor compliance as part of its own control environment.

Post-incident review — Following a confirmed breach or material system compromise, regulators including the OCC and FDIC may require a targeted cybersecurity audit. The NYDFS requires covered entities to notify the Department within 72 hours of a cybersecurity event as defined under 23 NYCRR 500.17.

Merger, acquisition, and licensing due diligence — Cybersecurity audit activity is standard in bank acquisition transactions, where the acquiring institution's internal audit or an engaged third party evaluates the target's control posture before regulatory change-of-control applications are filed.

Decision boundaries

Distinguishing between audit types determines which professionals, frameworks, and regulatory obligations apply.

Internal audit vs. external audit — Internal audit functions at banks operate under the Institute of Internal Auditors (IIA) International Standards. External cybersecurity audits are conducted by independent CPA firms or specialized cybersecurity assurance firms under AICPA attestation standards (AT-C Section 205) or SOC 2 Type II examination frameworks. Regulators treat external audit findings as supplementary evidence, not substitutes for examination authority.

Compliance audit vs. risk-based audit — A compliance audit tests adherence to a specific control set (e.g., 23 NYCRR Part 500 or GLBA Safeguards Rule). A risk-based audit, as described in NIST SP 800-30 Rev. 1, prioritizes controls by threat likelihood and impact, and is the approach preferred by the FFIEC for larger institutions with complex risk profiles.

SOC 2 vs. regulatory examination — SOC 2 Type II reports, produced under AICPA standards, address the Trust Services Criteria and are commonly required from fintech vendors and cloud service providers serving banks. They do not satisfy direct regulatory examination requirements under OCC or FDIC authority. The how to use this cyber audit resource page clarifies how these audit categories map to service provider providers on this site.