In a Risk Perspective released on July 7, 2017, the Office of the Comptroller of the Currency (“OCC”) emphasized the need for institutions to be cyber resilient – i.e., be able to respond to cyber attacks by managing various risks. Acting Comptroller Keith Noreika noted in a speech on the same day that “[e]ffective risk management promotes timely detection, response and escalation of operational issues to reduce customer impact due to product failures, possible fraud, and potential unfair or deceptive acts or practices.” Of course, to manage its risks, an institution must assess its risks, as emphasized in a recent WannaCry Alert by the Securities and Exchange Commission (“SEC”), recently released HIPPA guidance, and the New York Department of Financial Services (“NYDFS”) new cybersecurity regulations (Davis Polk webinar).
Last week’s OCC statements, combined with the recent SEC and NYDFS activity, show that resiliency–the ability to quickly detect, respond to, and mitigate the damage from a successful attack–is becoming a primary focus of regulators. As noted by SEC staff, “. . . it is not possible for firms to anticipate and prevent every cyber attack . . . . [A]ppropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.” For example, in the wake of the WannaCry ransomware attack, in addition to emphasizing the need for up-to-date software and patches, concerns have been raised about some companies’ ability to bounce back from a successful attack because their back-ups may be corrupted, out of date, or not sufficiently separated from the main system to avoid being encrypted.
The new OCC risk perspective focuses on several areas where cybersecurity measures both reduce the risk of a successful attack and improve resiliency by mitigating any resulting damage:
- Manage Third Party Risk
- Reduces the risk of a successful attack by ensuring that vendors have adequate controls;
- Also helps mitigate damage from an attack when vendors are required to (a) inform a company immediately of any incident that may involve that company’s confidential data, and (b) cooperate fully with that company in any investigation and mitigation efforts.
- Provide Employee Training
- Reduces the risk of a successful attack by teaching employees not to open potentially harmful attachments or click on malicious links;
- Also helps mitigate damage from an attack when employees are required to promptly report and escalate any potential cybersecurity event.
- Implement Strong Authentication and Management of Privileged and High Value User Access
- Reduces the risk of a successful attack by limiting the ability of bad actors to use compromised access credentials to access the system;
- Also helps mitigate damage from an attack by cutting off certain avenues by which bad actors move laterally through a company’s computer system and acquire elevated access privileges. This was a significant issue in a cyber attack against Anthem, which resulted in a record $115 million settlement.
Considering the increasing regulatory focus on resilience, companies should make sure that their cybersecurity measures and risk assessments cover resilience as well as prevention.