OCC Expands on Third-Party Cyber-RisksDirector Offers Review of New Cyber-Resiliency Guidance
The agencies that comprise the Federal Financial Institutions Examination Council are diligently working to help financial institutions shore up cybersecurity, and a big focus for regulators is third-party risks, says Kevin Greenfield, director of bank IT for the Office of the Comptroller of the Currency.
In an exclusive interview with Information Security Media Group (transcript below), Greenfield reviews how new regulatory guidance related to "cyber-resiliency" will impact banking institutions, as well as steps federal banking regulators are taking to ensure banks and credit unions are adequately addressing third-party risks.
"Financial institutions of all types and sizes must remain vigilant to protect against and mitigate the risks they face, whether from cyber-events or the actions of third-party servicers acting on their behalf," Greenfield says.
Cyber-Risks Get Attention
In February, the FFIEC issued new business continuity guidelines that addressed what it calls "cyber-resiliency" (see FFIEC Issues Cyber-Resilience Guidance). The guidelines were included in a new 16-page appendix that was added to the Business Continuity Planning Booklet, which was first issued in March 2003 and included within the FFIEC's IT Examination Handbook.
The new appendix, known as Appendix J, "Strengthening the Resilience of Outsourced Technology Services," specifically calls out key cybersecurity risks, such as distributed-denial-of-service attacks, the need for more due diligence of third parties and infrastructural interdependencies regulators have for months been telling banking leaders they need to address (see FDIC: What to Expect in New Guidance).
The guidelines offer a more detailed description of the cybersecurity initiatives banks and credit unions will be asked about during upcoming IT examinations, with cyber-resiliency - an organization's ability to withstand a cyber-attack by minimizing the disruption or impact that attack has on its ability to conduct business - a fundamental focus.
As the lead agency of the FFIEC, the Office of the Comptroller of the Currency, with leadership from Comptroller Thomas Curry, has been increasingly outspoken about the need for banking institutions to enhance their cybersecurity strategies, with greater attention being paid to the risks third parties pose to overall cyber-resiliency.
In the interview, Greenfield touches on third-party risks from a variety of angles, including merchant-processing risks - a topic the OCC addressed in revised guidance issued in August (see OCC: More Third-Party Risk Guidance).
Emerging Third-Party Risks
Tracy Kitten: What types of third-party risks are most concerning?
Greenfield: Examiners have seen increasing use of third parties to leverage efficiencies of scale and access subject matter expertise and avenues to offer new products and services. Risks and the level of concern related to any engagement with third parties are specific to the individual risk profile of the financial institution, the controls within the service provider and the specific services being provided.
While not necessarily the most concerning for every institution, the OCC has been focused on how financial institutions manage these key risks with the use of third parties through:
- Increased outsourcing of critical bank activities;
- Greater reliance by third parties on subcontractors;
- Ensuring that services are provided in compliance with applicable laws and regulations;
- Maintaining the security and confidentiality of sensitive customer information; and
- Interconnectivity risks, from a security perspective, with third parties.
There are many risk and control considerations associated with the engagement and use of third parties that financial institutions need to manage; these are outlined in OCC Bulletin 2013-29 Third-Party Relationships: Risk Management Guidance.
Defining Third Parties
Kitten: Recent statements from the OCC suggest that how banks define third parties should go far beyond the traditional definition for technical service providers. Can you elaborate?
Greenfield: Much attention and focus has been directed at "technology service providers" and the operational risks associated with core banking operations that may be outsourced. However, as outlined in OCC Bulletin 2013-29, there are many different types of services and risks associated with those activities that financial institutions need to manage. This may include monitoring of firms that provide add-on products, mortgage foreclosure services or debt collection services to ensure compliance with applicable laws and regulations.
The key message is that financial institutions need to understand what particular risks may be associated with each service being outsourced, determine the level of exposure to the financial institution, and then ensure appropriate controls and monitoring processes are implemented to the same extent they would be if the operation were conducted within the institution. A financial institution can outsource an operation or function, but the risk and responsibility to ensure the activity is performed in a safe and sound manner and in compliance with applicable laws remains with the bank.
Merchant and Payments Risks
Kitten: How are third-party risks associated with merchants and payments processors impacting banks, and how does the OCC view these risks?
Greenfield: As outlined above, there are a number of risks associated with different types of products and services offered. The OCC outlines risk-management and control expectations in the Comptroller's Handbooks for Merchant Processing, Payment Systems and Funds Transfer, and several of our other safety and soundness and compliance handbooks.
In addition, the FFIEC member agencies have published a number of guidance statements and handbooks addressing risks associated with retail and wholesale payments.
Kitten: Could new guidance, beyond Appendix J, be on the way?
Greenfield: The OCC, along with the other FFIEC member agencies, regularly evaluates the need to update existing or develop new examination handbooks.
What Is 'Cyber-Resiliency'?
Kitten:Why the term "cyber-resiliency"? What does this term encompass?
Greenfield: Business resilience has been a long-existing risk management and control expectation for the financial industry, and safety and soundness requirement by banking regulatory agencies. The use of the term "cyber" is a recognition of the changing business model employed by the financial sector and all industries that have seen an increased level of interconnectivity for conducting business, external dependencies, and new and emerging threats and vulnerabilities due to this connectivity.
While financial institutions are expected to have risk management processes that anticipate and proactively address resilience in the face of both current and emerging risks, prior guidance had focused primarily on planning and recovery from physical events impacting bank operations. Guidance communicated under cyber-resilience more clearly articulates the risks and control expectations for electronic-based threats and vulnerabilities, such as directed-denial-of-service and destructive malware threats.
Kitten:As Deputy Comptroller Beth Dugan noted in her address before The Clearing House on Feb. 11, cyberthreats are unique. So why include them within business continuity guidance?
Greenfield: It is not clear as to what portion of Deputy Comptroller Dugan's Feb. 11, 2015, speech you are referring, but I don't believe she stated cyberthreats are unique. She did specifically comment on the need the take a more comprehensive view of cyberthreats' impact on resiliency planning, noting: "Risk grows with the competitive pressure to make those systems even more open and responsive in response to the demand for connectivity and integration, and the complexity and interconnections of the infrastructure on which these linkages depend. It's for this reason that resiliency is taking on a new importance. We used to call it 'business continuity' or 'contingency planning.' And we used to think of it as restoring and resuming operations after a fire or natural disaster or technology disruption. However, the levels of connectivity and dependence - both internally and externally - have changed. As a result, our approach to business resiliency needs to change as well."
This excerpt from Deputy Comptroller Dugan's Feb. 11 speech provides insight into why the FFIEC agencies identified the need to address cyberthreats in business continuity guidance. Ms. Dugan points out in her speech that recovery plans for physical threats are still very important, but the level of interconnectivity, emerging concentrations in service providers and the changing nature of cyberthreats call for new and creative thinking about resiliency.
Kitten: Is this the first time an appendix like this has been added to the IT Examination Handbook?
Greenfield: No, the FFIEC member agencies have issued prior appendices to the FFIEC IT Handbook. Examples included in the Business Continuity Handbook booklet itself include Appendix D - Pandemic Planning and Appendix F - Business Impact Analysis Process.
OCC's Take on Cyber-Risks
Kitten: The OCC has been very outspoken about emerging cyberthreats and third-party risks, more so than any other agency. Obviously, as the lead agency of the FFIEC, the OCC plays a different role than other FFIEC agencies. But are cyber and third-party risks more of a focus for the OCC than other agencies for a reason?
Greenfield: The OCC is one of several regulatory agencies that comprise the FFIEC. Comptroller Curry is the current chair of the FFIEC and has worked with his fellow council members to focus on emerging cybersecurity threats, as demonstrated by the creation of a Cybersecurity and Critical Infrastructure Working Group and the interagency cybersecurity assessment program conducted last year (see New FFIEC Cyber Exams: What to Expect).
The OCC remains focused on third-party risks and cybersecurity threats and on communicating expectations for the financial institutions we supervise. These are outlined in interagency and OCC-specific guidance we have issued in recent years and messages conveyed through public-speaking events.
Noteworthy Third-Party Risks
Kitten: The cyber-risk pilot exams highlighted a number of third-party risks. Which ones stood out the most?
Greenfield: As communicated in the FFIEC Cybersecurity Assessment General Observation published on Nov. 3, 2014, external dependency management, as it relates to connectivity to third-party service providers, business partners, customers or others, and financial institutions' oversight of these relationships, is very important to an effective cybersecurity framework. It is important for management to consider the risks of each connection and evaluate the third party's cybersecurity controls.
It is also important that financial institutions understand the cybersecurity risk management processes and incident response plans of the third parties that maintain bank or customer sensitive information or support critical operations.
Kitten: Have improvements been made?
Greenfield: The OCC cannot comment on the results of supervisory activities at specific financial institutions. However, the OCC has gone to significant efforts to communicate the importance of maintaining an effective third-party risk management program and cybersecurity controls. Publication of OCC Bulletin 2013-29 Third-Party Relationships: Risk Management Guidance and subsequent industry outreach efforts have broadened the understanding of risk management expectations throughout the third-party engagement lifecycle.
The FFIEC cybersecurity assessment conducted in 2014 helped to highlight risks associated with external dependencies and the need for greater threat and vulnerability monitoring. This has resulted in greater focus on external connectivity risks and increased participation in information sharing forums, such as FS-ISAC [Financial Services Information Sharing and Analysis Center].
Kitten: Any final thoughts you can share about the overall state of cybersecurity and additional best practices or guidelines surrounding third-party risks banking institutions might expect this year?
Greenfield: The OCC maintains high expectations for our supervised entities in the area of cybersecurity and third-party risk management. Financial institutions of all types and sizes must remain vigilant to protect against and mitigate the risks they face, whether from cyber-events or the actions of third-party servicers acting on their behalf. We at the OCC will continue to reassess and update our supervisory guidance and communications to support financial institutions in their efforts to maintain a strong and secure banking system.
The Comptroller has emphasized the importance of communication, collaboration and cooperation in all aspects of our mission. This communication and collaboration is especially important as it relates to cybersecurity and third-party risk management, where the risks can transcend institutional and industry boundaries.