OCC Warns of Banking Infrastructure RisksDeeper Intrusions Against Networks Overshadow Fraud Concerns
The Office of the Comptroller of the Currency has once again singled out cyberthreats as a leading operational risk for U.S. banking institutions.
The OCC notes in its just-released Semiannual Risk Perspective for 2014 that banking institutions continue to be among the preferred targets for cyber-attacks, and that recent attacks against the retail industry have only reinforced why banking institutions need to be diligent about cybersecurity.
"Recurring security breaches at retail merchants highlight the interdependencies in today's payment systems," the OCC says (see P.F. Chang's Breach: Predates Target?).
Last year marked the first time the OCC named cyber-attacks as being among the financial industry's top operational risks. In the July 2013 report, the banking regulator noted that ever-increasing cyberthreats waged to commit fraud were among the industry's top concerns (see OCC: Cyber Threats Among Top Risks).
"Criminals seeking to steal information, commit fraud, or disrupt, degrade, or deny access to information systems strain bank resources and can cause financial, operational, and reputational harm," the OCC said.
But this time around, the OCC notes that fraud linked to cyber-attacks is not necessarily banking institutions' greatest concern.
Deeper intrusions into banking networks, as well as other components of the financial and payments infrastructure, demand that risk mitigation become a top priority, the OCC's latest report notes.
"There is concern that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption," the OCC states. "These threats require heightened awareness and appropriate resources to identify and mitigate the evolving risks."
Third-Party Risks Highlighted
Bankers should maintain heightened awareness and appropriate resources to identify and mitigate cyberthreats and vulnerabilities, the OCC says. "Bankers should also ensure that risk management of third-party relationships is commensurate with the breadth, complexity and criticality of these arrangements," the report states.
The OCC recommends institutions follow the risk management guidance related to third parties it issued in October 2013.
Financial fraud expert Shirley Inscoe, an analyst at the consultancy Aite, says the attention that the OCC and other banking regulators are paying to cybersecurity concerns will likely intensify in the coming months.
"Cyberthreats are the biggest operating risk financial institutions currently face, and they never know what form the next threat will take," she says. "Regulators are focusing on these threats as well they should. It is hard to protect against the unknown, and that is exactly what banks must do to successfully combat cybercrime."
Increasing Cyber Concerns
In its July 2013 report, the banking regulator noted that cyberthreats continue to grow and are increasingly more sophisticated (see OCC: Cyber Threats Among Top Risks).
But Inscoe says cyber-threats have continued to evolve in the past year, and the emergence of mobile banking has only heightened concerns about emerging risks.
"As a channel, mobile has some very specific strengths financial institutions can take advantage of for fraud prevention, e.g., geographic location," she says.
Inscoe also notes: "Financial institutions cannot really protect consumers from making poor decisions regarding their mobile devices, but I think they owe it to them to educate them about risk so they can make smart decisions."
In its latest report, the OCC highlights that banking regulators have already issued specific warnings about ATM cash-outs, distributed-denial-of-service attacks and risks related to the Heartbleed open SSL vulnerability. The OCC says banking institutions should be heeding those warnings.
"The number, nature and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats," the OCC says. "As banks seek new lines of business, some are bundling products and services or assuming new roles as agents between consumers and merchants that increase cross-channel payment, operational and compliance risks."
Aviah Litan, an analyst with Gartner Research, says regulators have serious concerns about DDoS and other cyber-attacks that threaten the critical infrastructure.
"At the Gartner Summit this week, the ex-head of NSA [National Security Agency] said our country is not prepared for DDoS attacks," Litan explains (see The 'Disappearance' of Keith Alexander). "If the bad guys get into the trading system, they could completely take our system down. So, there are a lot of risks. It's a new battleground, and banks need to know what the risks are."
This is especially critical for smaller institutions, which often lean on service providers for security, Litan adds.
"The regulators are probably going to have to get heavy-handed," she says, to ensure community banks that do outsource security fully understand the risks themselves.
Cyber Risk Assessments
The release of the OCC's operational risk report comes on the heels of the Federal Financial Institutions Examination Council's announcement this week that it has started its cybersecurity risk assessment pilot program (see FFIEC Cybersecurity Assessments Begin). During this first wave, which is slated to run through July, more than 500 community banking institutions will be examined.
The aim of the program is to help smaller banking institutions address potential security gaps.
Concern about the security of smaller institutions also has been highlighted by the Financial Stability Oversight Council's annual report, released in early June. And industry groups, such as the Financial Services Roundtable, have noted that smaller institutions should be more focused on enhancing information sharing among third parties and retailers, to ensure they are adequately preparing for risk (see BITS: How to Prepare for Cyberthreats and Why Information Sharing Isn't Working).