OCC: Cyber Threats Among Top RisksRegulator for First Time Links Cyber to Operational Risks
One of the top U.S. banking regulators has for the first time named cyberthreats as a major factor heightening banks' operational risks. And banking security experts say this is a sign that greater regulatory scrutiny will come.
The Office of the Comptroller of the Currency, in its spring 2013 Semiannual Risk Perspective report, points out that cyberthreats continue to grow, and are increasingly more sophisticated.
"The increasing volume and sophistication of cyberthreats pose an ongoing challenge to the confidentiality, integrity and availability of systems," the OCC states. "Criminals seeking to steal information, commit fraud, or disrupt, degrade, or deny access to information systems strain bank resources and can cause financial, operational, and reputational harm."
What's more, the cyber-attacks facing banking institutions continue to evolve at an accelerated rate, and have changed since the OCC last issued its Risk Perspective in fall 2012, says OCC spokeswoman Stephanie Collins. "This report is the first highlighting operational risk associated with cyberthreats," she says.
That line between cyber-attacks and operational risk is significant, because it illustrates why banks can expect more regulatory scrutiny in the future.
"What this tells me is that they are seeing potentially serious consequences in the field resulting from cyber-attacks, and that they will be examining their banks more closely to ensure they defend themselves properly," says financial fraud expert Avivah Litan, a distinguished analyst for consultancy Gartner. "Of all the regulators, the OCC seems to be at the forefront of understanding the seriousness of cyberthreats. I'm sure they work with U.S. intelligence agencies that inform their resulting strategy."
Joe Rogalski, a security consultant and former fraud and compliance officer for First Niagara Bank, a $36 billion institution in New York state, says the timing of the connection the OCC is making is even more significant. The onset of distributed-denial-of-service attacks against U.S. banking institutions date back to September 2012, around the time the last Risk Perspective was issued.
"We have seen recently with the DDoS attacks that cyber-events can have a strong, adverse effect on institutions' ongoing operations, and can disrupt them if risk management and thorough assessments are not performed and countermeasures are not implemented," he says. "Banks need to think about what the next attacks are and become proactive, instead of reactive. In these times, creative thinking and security intelligence are paramount."
The OCC, which has four district offices in the U.S. and one office in London, to supervise international activities, oversees the country's top national banks as well as thrifts with less than $10 billion in assets. OCC examiners analyze loan and investment portfolios, funds management, capital, earnings, liquidity and sensitivity to market risk for all national banks and federal thrifts.
The Risk Report
In the report, the OCC notes that some banks are changing the ways they apply technologies, which could adversely affect their abilities to detect and defend themselves against risk.
Specifically, the OCC calls out as risk factors the:
- Adoption of new and less market-tested applications;
- Reengineering of business processes;
- Increased reliance on outsourcing to reduce operating costs.
"While these tactics can help meet strategic business objectives, banks need to understand and manage the associated risks and provide effective ongoing oversight," the OCC states. "The consequences of business process reengineering for lower operating costs may fall disproportionately on compliance, audit, risk management, operations or internal control mechanisms and may adversely affect a bank's ability to identify, measure and control risks."
Collins says banking institutions of all sizes are facing similar challenges, but that "regulatory requirements are strengthening banking institutions' awareness and preparedness against cyberthreats."
"Examinations are conducted per the FFIEC handbook," she says. "The OCC is conducting outreach across all banks it supervises, to help them understand the risks posed by cyberthreats and the public-private partnerships in place that can assist with information sharing."
But information sharing and outreach can only go so far, she adds. "Financial institutions should implement robust risk management processes that include appropriate governance and support from senior management to properly identify, monitor, measure, and control the operational risks posed by cyberthreats," she says.
Heightened awareness about ongoing cyber-attacks within the bank itself also is more important, the OCC says, and banks need to ensure they have the right resources to identify and mitigate emerging risks.
"The effects of cyber-attacks include reduced availability or diminished response times of online banking services, identity theft, fraud, and theft of proprietary information," the report states. "The costs and resources needed to manage the risks continue to increase, as the attacks broaden and intensify. Over time, the effects could expand as the capabilities and tactics of cyber-criminals evolve."
What it Means for Banks
Rogalski says the OCC's actions here should definitely get upper management's attention. The OCC does not usually address cyberthreats in its advisories, he adds.
"The executive wing has turned a blind eye to cyberthreats in the past, as the losses have never been large enough to get their attention," Rogalski says. "With the disruption of operations and the large dollar losses recently, I believe we are just at the tip of the iceberg, if they continue not to take cyber-risks seriously."
In fact, the OCC explicitly states that policy and supervisory actions will be impacted by new cyberthreats.
"OCC supervisory staff will focus the review and assessment of operational risk on contemplated changes to business models and responses to strategic opportunities, such as the introduction of new or revised business products, processes, or delivery channels," the report states. "Robust preparation and contingency planning for operational or technology failures, as well as natural disasters, remain essential."
The OCC has asked for feedback about the report. Comments can be sent to NRCReport@occ.treas.gov.