OCC Highlights Cyber Security Risks to Smaller Financial Institutions

Actimize FMC Product Team, Financial Markets Compliance

The issues raised in a recent speech given by Comptroller of the Currency Thomas Curry in Washington, D.C. touched on both new and ongoing topics of discussion related to cyber security in the financial services industry. It’s outstanding to see such a senior policymaker focusing on smaller institutions, such as community banks and thrifts, since those are indeed some of the softer targets for cyber-attacks of various types. And while it’s not the first time that a well-known individual such as Curry has given such a speech on such a dedicated topic, it is a fairly rare occurrence and is therefore worth digging into. Here are some of the key takeaways from this speech:

  1. Examination Procedures: It’s encouraging to see the focus on updating examination procedures in light of the fact that the threat landscape is changing rapidly; highlighting this reality to the financial services industry remains an important goal of US (and other) regulators.
  2. Information Sharing: Second, we continue to see an increase in sharing, both across financial services agencies and between the banks and the government. For instance, President Obama’s February 2013 Executive Order emphasized information-sharing; and although some financial services firms are reluctant to share sensitive customer and security information with the government, there nonetheless appear to be enormous benefits in doing so, as it helps educate peer groups and analysts about cybercriminals’ tactics and maneuvers.
  3. “Interconnectedness”: This notion was a key theme of Curry’s concerns. While others have written about the need to mitigate 3rd-party risk, Curry’s approach is a slightly new one, as he highlights the specific concern regarding how the overlapping relationships can cause problems: “Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system. Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organizations at one time.”
  4. Community Banks & Thrifts: Finally, it’s quite unusual to have a public figure as well-known as Curry highlights the needs of smaller financial institutions. Typically, such institutions express concerns about not having adequate resources (funding, staff, training, equipment, expertise, etc.) to dedicate to topics such as Information Security beyond the most pressing issues right in front of their nose. Curry states “we are focusing in particular on community banks and thrifts” … [and] “it is very likely that hackers will turn their attention to community banks” … [that] “may have less sophisticated defenses than large banks.” As anyone who has watched the growth in phishing, malware, or DDoS attacks in the past decade against the US financial services industry can attest, what Comptroller Curry is saying is spot on.

In sum, the OCC speech sets new groundwork by re-emphasizing some of the areas already discussed by other key US regulatory and government officials and yet also weaves in a series of new and original ways to consider mitigation against cyber-security problems.

Addressing Fraud Risk from COVID-19 Relief Efforts

May 7th, 2020
Rob Tharle, Fraud & Authentication Subject Matter Expert, NICE Actimize EMEA

A Changing Fraud Landscape: Navigating the Risks Amid COVID-19

April 17th, 2020
Rob Tharle, Fraud & Authentication Subject Matter Expert, NICE Actimize EMEA

UK Fraud Losses – What happened in 2019 and where are we headed now?

April 17th, 2020
Rob Tharle, Fraud & Authentication Subject Matter Expert, NICE Actimize EMEA
Speak to an Expert


We use cookies to ensure that we give you the best experience on this website. If you continue without changing your settings, we’ll assume that you are happy to receive all on the NICE website. However, if you would like, you can change your cookie settings at any time. To find out more about how we use this information, see ourPrivacy Policy.