OCC on Cybersecurity: More Regs on Way?Emerging Threats Could Spur More Oversight for Banks
Banking leaders and security experts say a Sept. 18 speech by Comptroller of the Currency Thomas Curry, in which he highlighted the urgency of addressing emerging cyberthreats, put several important issues in the spotlight (see OCC's Curry: Cyberthreats Are Grave).
Some were pleased to see a high-profile banking regulator address the cybersecurity issue head-on. And they say the speech could be an early indication that regulators will provide more clarification, perhaps through regulatory oversight, about the security gaps banking institutions and service providers are expected to fill.
Still, others question whether regulators are really ready to ramp up enforcement.
Securing Critical Infrastructure
In his speech, Curry, who also chairs the Federal Financial Institutions Examination Council, discussed how a new task force, known as the Cybersecurity and Critical Infrastructure Working Group, will enhance information sharing among regulators, law enforcement and intelligence communities.
"We need to identify and address gaps in the landscape of federal and state bank examination policies related to cybersecurity and critical infrastructure resilience," Curry stated. "It is important that our examiners continue to have clear and meaningful policy guidance to address today's threats - and tomorrow's."
Mike Wyffels, senior vice president and chief technology officer of QCF Holdings, a $2 billion bank holding company based in Iowa, says providing more clarification about the security gaps banking institutions are expected to fill will likely be welcomed by the industry, even if that means more regulatory oversight.
Curry also noted in his speech: "We are reviewing our policies and updating examination handbooks, procedures and training to ensure that as cyber-threats evolve, all banks and thrifts are prepared to effectively identify the risks and strengthen their risk management and control systems."
Fine-tuning bank examination policies related to cybersecurity would strengthen protections for banking institutions and consumers, Wyffels says. But that will require a collaborative effort among vendors, institutions and others touching the financial chain, he adds.
"Many organizations, not limited to banks, will have to participate to implement recommended changes for layers of protection to continue to improve," he explains.
Oversight of Third-Parties
Curry also noted the need for more regulatory oversight of third-party service providers.
"Banks not only operate their own networks, they also rely on third parties to support their systems and business activities," Curry said. "Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system. Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organizations at one time."
Financial fraud expert Al Pascual, an analyst for consultancy Javelin Strategy & Research, says Curry's mention of third-party service providers could foreshadow more regulatory pressure - an expectation the Federal Deposit Insurance Corp. alluded to in July during a community bankers' forum it hosted in Washington (see FDIC: Improve Vendor Management).
"The mention of third-party vendors definitely stands out, especially in the shadow of what we have heard recently from the FDIC," Pascual says. "I would not be surprised if regulators sought a way to indirectly influence the actions of vendors that they find lacking by introducing a mechanism that effectively steers FIs [financial institutions] away from vendors that are not up to snuff."
Pascual says the creation of the task force illustrates how seriously banking regulators are taking cybersecurity. "Cooperation and shared intelligence - these can no longer be empty phrases, and it appears that the industry is taking that to heart when it comes to tackling the very real issue of cybersecurity," he says.
But Peter Tapling, president and CEO of Authentify, an online authentication provider, says Curry's statements don't suggest regulators will be doing more to oversee vendors and core service providers. Rather, he believes regulator will more clearly define the roles banking institutions play in screening the third parties with which they work.
"Earlier guidance made it clear that banks were responsible for appropriately vetting their providers, but it was quite general," Tapling says. "I get a sense from Curry's comments that more specific requirements might be in the offing."
Still, the security onus will be on banks and credit unions, he adds. "It is a positive sign that the regulators are trying to be more future-looking," Tapling says. "Many banks commented that when the first FFIEC guidance [for authentication and vendor management] came out, they were already doing everything required of the guidance. That was because there were still many institutions which were not up to that level. By being forward-looking in their guidance, institutions are better able to put technology requirements on their development roadmaps."
Proactive Approach to Cybersecurity
Shirley Inscoe, a financial fraud analyst for the consultancy Aite, says Curry offered a valuable call to action in his presentation.
"The primary point he makes that I agree with is that banks must find a way to become more proactive in the face of these attacks than many of them have been able to be," Inscoe says.
"This is not due to a lack of concern or effort. The largest banks can afford the investments, if they must make them. But the smaller institutions will have a tougher time reacting to such varied and diverse threats. No one solution will provide adequate protections; and how many solutions can each bank afford to implement?"
In fact, Joram Borenstein, vice president of NICE Actimize, provider of anti-fraud solutions and technologies, says Curry's statements are in many ways aimed at community institutions, which often struggle more with cybersecurity budgeting than larger institutions.
"It's outstanding to see such a senior policymaker focusing on smaller institutions, such as community banks and thrifts, since those are, indeed, some of the softer targets for cyber-attacks of various types," Borenstein says. "It's also very encouraging to see the focus on updating examination procedures in light of the fact that the threat landscape is changing rapidly; highlighting this reality to the financial services industry remains an important goal of U.S. regulators."
Michael Versace, insights director for International Data Corp., a consultancy and data-analysis firm, says Curry's speech should encourage banking institutions to be more proactive in their approaches to security, rather than focusing so much on check-box compliance.
"[The banking regulators'] message should be more focused and to the point on the limitation of existing bank approaches. Their language should aim to shift the industry from the current reactive security posture toward an anticipatory, predictive intelligence perspective, so we have a chance to get ahead of attacks, plan for enterprise risks, and take actions before attacks occurs."
In June, the FFIEC launched the Cybersecurity and Critical Infrastructure Working Group to address banking institutions' unique cyber-threats, Curry said. Members of this group have already met with intelligence, law enforcement and homeland security officials and are reviewing how best to implement strategies outlined in the President's Executive Order on Cybersecurity, as well as address recommendations offered by the Financial Stability Oversight Council.