Cyber threats remain a key operational concern for banks, which are otherwise experiencing “near-historic” capital and liquidity highs and improved returns on equity, according to the Office of the Comptroller of the Currency (the “OCC”). The regulator published its Fall 2017 Semiannual Risk Perspective on January 18th, stating that “operational risk remains elevated as banks adopt business models, transform technology and operating processes, and respond to increasing cybersecurity threats.” This conclusion is not new—since its Spring 2013 Risk Perspective, the OCC has consistently identified cyber threats as a source of heightened operational risk. Over time, however, the OCC has shifted from merely cautioning banks about the threat of cyber attacks to insisting that banks take specific steps to both prevent and prepare for such events. In addition, the OCC has become increasingly concerned about the concentration of critical bank operations among a small number of large third-party service providers.
The Increasing Complexity of Cybersecurity Threats
As it did in its Spring 2017 Risk Perspective, the OCC has stressed the increased speed and sophistication of cyber threats and the particular vulnerability of banks to phishing scams. The OCC is urging banks to implement trainings on phishing scams in order to increase user awareness. In addition, the OCC is calling for the following to both prevent and prepare for a cyber incident:
- A systems development life cycle that incorporates regular maintenance and systems updates to ensure that software is supported, updated and patched appropriately.
- An established and tested response plan that clearly designates personnel for key response mechanisms in public affairs, legal, service providers, law enforcement, government entities
- Strong authentication and management of privileged access (e.g., system administrators, executives with access to very sensitive information, etc.)
Concentration of Critical Bank Operations in a Few Large Service Providers
Whereas the OCC has previously noted concerns about banks’ lack of oversight of third-party service providers, the regulator appeared more concerned in this recent report about consolidation among those service providers and the resulting concentration risk. The OCC stated that supply-chain companies provide “back doors” into bank operations and, accordingly, are convenient targets for cybercrime and espionage. As the OCC points out, such concentration of critical operations in a limited number of companies create points of failure that, if exploited, could result in systemic risk to the financial services sector.
Steps Banks Should Consider
In light of the kinds of concerns raised by the OCC, financial institutions are adopting some of the following measures to mitigate these cybersecurity risks:
- Creating a robust system for identifying outdated software and patching it, updating it, or replacing it.
- Conducting periodic cybersecurity vulnerability assessments and penetration testing.
- Regularly reviewing and testing access controls.
- Requiring multi-factor authentication for remote access into computer systems and for sensitive internal access points.
- Conducting periodic cybersecurity reviews of third-party service providers with access to sensitive information, and ensuring that such providers are obligated to provide prompt notice of material cyber events that involve the bank’s confidential data.
- Conducting training and testing for employees on phishing.
- Conducting periodic tabletop exercises of mock cyber events with incident response teams and senior management.
- Creating a decision-making process for ransom and ransomware attacks.
The author of this post gratefully acknowledges the assistance of law clerk Daniela Dekhtyar-McCarthy in preparing this entry.