The Office of the Comptroller of the Currency (OCC), the Federal Financial Institutions Examination Council (FFIEC), and a number of other important bodies have recently highlighted the importance of increasing diligence against cyber threats.
As the FFIEC launched its cybersecurity assessment pilot program, other organizations called for more knowledge-sharing. But it is the heightened focus on banking institutions’ operational risk that brought these protection strategies up to a whole new level. In fact, it was the OCC that was among the first to publicly describe the critical nature of cyber threats last year, as major factors threatening financial institutions’ operational risks. It is worth noting that hints of this appeared as early as May 2012 in remarks made by the OCC’s head, Comptroller Thomas J. Curry.
What does all the dialogue coming out of the OCC and other regulatory bodies really mean?
- First, none of this activity should come as a surprise to financial institutions. The cybercrime problem continues to worsen, as we all see played out in the media every day, and the need to ensure that our nation’s critical infrastructure is hardened can’t be delayed.
- Second, with approximately 13,000 banks and credit unions, the U.S. financial sector has a wide, varied, and potentially-exposed attack surface. These mentions of cybersecurity are simply the next step in the natural evolution of how regulators handle such threats and concerns when dealing with such an exposed segment of the US economy that finds itself under increasingly sophisticated attacks.
- Third, financial institutions would be wise to assume that cybersecurity will become increasingly regulated; in addition, they should begin to plan a strategy that includes “cyber” in their already full plate of compliance initiatives. And while this change perhaps won’t happen overnight, financial institutions should in the meantime ensure that they have a logical risk management framework in place that guides and comprehensively covers the requisite people, processes, and technology that are needed to mitigate cyber-threats.
As we’ve mentioned, another key area of discussion around this area of operational risk is information sharing. Banks are sharing information and trends informally – and have been doing so for years. But what is different now is that the sharing communities have become larger and the government itself is supporting sharing initiatives in a much more robust manner than ever before.
Is it an important milestone that the OCC continues to focus on cyber-risks as a leading threat facing financial institutions? In fact, it is extremely noteworthy and is aligned in many ways with previous actions. What the OCC espouses lines up to what groups like the FS-ISAC have been saying for many years. It also is aligned with President Obama’s February 2013 “Executive Order on Improving Critical Infrastructure Cybersecurity” and the National Institute of Standards and Technology (NIST) February 2014 voluntary guidelines that included an emphasis on the private sector about handling cybersecurity risks.
But cyber threats are no longer a category in and of themselves. The risks connected to cyber attacks are so pernicious that they are now a serious consideration in the world of operational risk – a C-suite level and board room issue if there ever was one! The lines are drawn, and operational risk management teams have already begun to connect their analysis and risk reviews back to cyber threats. And they can’t move fast enough in doing so!