OCC's Curry: Third-Party Risks Growing
Managing Vendor Security Is Increasing ConcernController of the Currency Thomas Curry warned in an April 16 speech that third-party security risks are creating increasing vulnerabilities for community banks.
See Also: Live Webinar | Navigating Emerging Threats: Strengthening Incident Response Capabilities
Ensuring due diligence and ongoing risk assessments of all third-parties must be a part of every banking institution's vendor management program, he stressed in a presentation at a Washington event.
"Many smaller institutions depend upon third-party providers for their IT services, including security," Curry said. "But they still have to be able to assure themselves that these service providers have adequate controls and solid processes in place to protect them and their customers. This can be particularly problematic for community banks and thrifts that may not have the resources or specialized expertise needed to identify and mitigate these vulnerabilities."
Back in October, Curry's office issued updated guidance related to third-party risks. The update noted eight areas where banking institutions need to make improvements to their vendor management programs related to third-party relationships.
In its guidance, Curry's office pointed out that institutions face new and increased operational, compliance, reputation, strategic and credit risks when dealing with third parties.
Banks' Responsibilities
Curry's speech reinforced that banking institutions have to be responsible for monitoring and ensuring the ongoing security of the vendors with which they work, even if those vendors are subject to regulatory oversight.
"Those of you who provide services to banks are probably aware that we examine a category of vendors designated as technology service providers, or TSPs, and that we also have authority under the Bank Service Company Act to issue enforcement actions when necessary," Curry said. "Our supervision does not take the place of due diligence or ongoing monitoring commensurate with the level of risk and complexity of the arrangement."
Risk management practices haven't always kept pace with emerging risks, he said, and banking institutions that depend too heavily on a single vendor can face catastrophic consequences.
"Service providers are consolidating and leaving financial institutions more dependent upon a single vendor," he said. "As a result, deficiencies at one vendor have the potential to affect a large number of banks simultaneously."
Curry also singled out concerns about foreign-based subcontractors for third-party vendors. "Banks need to consider the legal and regulatory implications of where their data is stored or transmitted and make a determination as to whether geographic limitations are needed in their contracts," he said.
Third parties are often given access to sensitive data about the banking institutions as well as their customers, he pointed out.
FFIEC Oversight
Last year, the Federal Financial Institutions Examination Council created a Cybersecurity and Critical Infrastructure Working Group, which aims to enhance information sharing among banking regulators, law enforcement and homeland security officials, Curry noted. "This working group will also consider how best to implement the President's Executive Order on Cybersecurity, as well as how to address recommendations of the Financial Stability Oversight Council," he said
Banking institutions are cybercriminals' most sought-after targets, Curry said. "The system is also vulnerable because of the banking industry's significant reliance on technology and telecommunications, and more important, from the interconnections between these systems," he added. "Each new relationship and connection provides potential access points to all of the connected networks, thereby introducing new and different weaknesses into the system."
This is why enhanced and ongoing information sharing across banking institutions and other entities that touch financial services is critical, he said. "The FFIEC working group ... will help in the process of improving awareness across the financial system, particularly among community institutions, about the evolving nature of the cyber landscape."