OCC Highlights Cyber Security Risks to Smaller Financial Institutions

The issues raised in a recent speech given by Comptroller of the Currency Thomas Curry in Washington, D.C. touched on both new and ongoing topics of discussion related to cyber security in the financial services industry. It’s outstanding to see such a senior policymaker focusing on smaller institutions, such as community banks and thrifts, since those are indeed some of the softer targets for cyber-attacks of various types. And while it’s not the first time that a well-known individual such as Curry has given such a speech on such a dedicated topic, it is a fairly rare occurrence and is therefore worth digging into. Here are some of the key takeaways from this speech:

1. Examination Procedures: It’s encouraging to see the focus on updating examination procedures in light of the fact that the threat landscape is changing rapidly; highlighting this reality to the financial services industry remains an important goal of US (and other) regulators.
2. Information Sharing: Second, we continue to see an increase in sharing, both across financial services agencies and between the banks and the government. For instance, President Obama’s February 2013 Executive Order emphasized information-sharing; and although some financial services firms are reluctant to share sensitive customer and security information with the government, there nonetheless appear to be enormous benefits in doing so, as it helps educate peer groups and analysts about cybercriminals’ tactics and maneuvers.
3. “Interconnectedness”: This notion was a key theme of Curry’s concerns. While others have written about the need to mitigate 3^rd-party risk, Curry’s approach is a slightly new one, as he highlights the specific concern regarding how the overlapping relationships can cause problems: “Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system. Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organizations at one time.”
4. Community Banks & Thrifts: Finally, it’s quite unusual to have a public figure as well-known as Curry highlights the needs of smaller financial institutions. Typically, such institutions express concerns about not having adequate resources (funding, staff, training, equipment, expertise, etc.) to dedicate to topics such as Information Security beyond the most pressing issues right in front of their nose. Curry states “we are focusing in particular on community banks and thrifts” … [and] “it is very likely that hackers will turn their attention to community banks” … [that] “may have less sophisticated defenses than large banks.” As anyone who has watched the growth in phishing, malware, or DDoS attacks in the past decade against the US financial services industry can attest, what Comptroller Curry is saying is spot on.

In sum, the OCC speech sets new groundwork by re-emphasizing some of the areas already discussed by other key US regulatory and government officials and yet also weaves in a series of new and original ways to consider mitigation against cyber-security problems.