Federal regulators have substantially elevated cybersecurity risk assessments as yet another monitoring tool. They now view risk assessments not just as relevant to mundane IT issues but as more fundamental for assessing operational risk relevant to the safety and soundness of the entire banking institution. Indeed, in a May 7, 2014 speech, Thomas J. Curry, the Comptroller of the Currency, noted “that some of the most significant losses banks have sustained in the last several years were attributable not to the loans they made but rather to lapses in operational risk management and the ensuing legal judgments, regulatory fines and reputational damage.”
The sophistication of cyber-attacks has increased parallel with the evolution of financial services technology over the last 30 years – from ATMs to Internet-based banking to mobile banking, all of which increase vulnerability and exposure for banks. As Curry noted, “[R]isk today, in an interconnected world, is qualitatively different – and far more difficult to manage – than it was even a few years ago.”
As a result, the following initiatives are under way:
The Federal Financial Institutions Examination Council (Council), an interagency body striving for uniformity in the principles, standards and reporting forms for federal examinations undertaken by the Board of Governors of the Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau and the National Credit Union Administration, has plans to more aggressively supervise smaller, community banks with cybersecurity vulnerability and risk-mitigation assessments through its Cybersecurity and Critical Infrastructure Working Group. These assessments will begin in late 2014.
The OCC, a member of the interagency Council, has plans to do the same with certain large banks with average consolidated total assets of $50 billion or more under the Bank Service Company Act, 12 U.S.C. §1861, et seq. The OCC released proposed guidelines on “heightened expectations for risk management, internal audit and governance in large national banks” in January, according to Curry. Comments have been received and are being evaluated. At the core, as summarized by Curry, the new proposed guidelines mandate a system to effectively “identify, measure, monitor and control risk taking,” ensure that “the board of directors has sufficient information” and “set criteria for the board’s composition and responsibilities, to ensure that boards have a minimum number of independent directors and that all board members have the information, status and authority to ensure effective oversight.”
Ultimately, the Council and the OCC recognize the increased importance of cybersecurity to financial institutions, including their oversight of connected third party business partners. Further updates will follow.