OCC's Curry: Cyberthreats Are GraveSpeech Highlights Heightened Risks to Banks
U.S. banking institutions' reliance on the Internet and emerging technologies such as mobile is opening the door for increased cyber-risks, which pose a threat that's potentially as grave as the recent financial crisis. That was the message delivered by Comptroller of the Currency Thomas Curry in prepared remarks for a Sept. 18 speech in Washington.
"From a vulnerability perspective, we are at increased risk due to our banking system's significant reliance on technology and telecommunications, and the interconnections between these systems," Curry said. "Banks not only operate their own networks, they also rely on third parties to support their systems and business activities. Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system."
That interconnectivity has raised new awareness about potential fraud threats and risks posed by distributed-denial-of-service attacks, which have been targeting U.S. banks and credit unions for the last year, he points. As a result, the Office of the Comptroller of the Currency is working with other banking regulators, through the Federal Financial Institutions Examination Council, to evaluate these emerging risks and assist banking institutions in developing strategies to defend their networks and online presences, Curry said.
In June, the FFIEC launched a new task force, the Cybersecurity and Critical Infrastructure Working Group, to address banking institutions' unique cyber-threats. Members of this group have already met with intelligence, law enforcement and homeland security officials, he said. They also are reviewing how best to implement strategies outlined in the President's Executive Order on Cybersecurity, as well as address recommendations offered by the Financial Stability Oversight Council, Curry said.
"As we develop the working group's priorities, there are a number of areas that I hope the group will engage in," he said. "We need to identify and address gaps in the landscape of federal and state bank examination policies related to cybersecurity and critical infrastructure resilience. It is important that our examiners continue to have clear and meaningful policy guidance to address today's threats - and tomorrow's."
Additionally, information sharing among regulators, law enforcement and intelligence communities must be a priority, Curry said, and cybersecurity awareness must continually improve.
"We need to continue to improve the awareness across financial institutions, particularly community institutions, about the evolving nature of the cyber-landscape and encourage their engagement in public-private partnerships," Curry said.
Incident response, through coordination with the FFIEC and international regulatory bodies, is a priority as well, he said.