How to Improve Cyber Resilience: A Q&A with the OCC’s Patrick Kelly
Destructive cyberattacks are becoming increasingly disruptive across the banking sector, wreaking significant economic and reputational havoc. The OCC, however, is taking steps to identify, assess and mitigate these cyber risks, led by its Director for Critical Infrastructure Risk Policy.
It is therefore incumbent upon banks to proactively identify, measure and manage the risk of cyberattacks, which range from ransomware to phishing-type scams to business email compromise (BEC) schemes. Otherwise, they risk becoming part of an alarming forecast for global cybercrime damages.
Patrick Kelly, Director for Critical Infrastructure Policy, OCC
Recently, to learn more about the OCC’s perspective, we spoke with Patrick Kelly, the regulator’s Director for Critical Infrastructure Policy. Kelly shared his insights on a multitude of issues, including the best approach to cyber resilience; the most practical strategy for aligning cybersecurity with operational risk; and the steps CISOs can take to explain and effectively communicate cyber risks to senior management and the board.
What’s the OCC’s view on achieving resilience, both from cyber and operational perspectives?
Destructive malware introduced into a financial institution’s systems has the potential to alter, delete or otherwise render production data and systems unusable. Depending on the scope of the attack, the type of backup processes used and other controls employed, data and system backups may be similarly affected in a destructive cyberattack.
These scenarios should be a key driver for continuity and resiliency planning. Key considerations include maintaining system backups, either on segmented portions of the network or through offline tools like tape media.
Another key component is regularly testing recovery capabilities to ensure that they are operating as intended, to meet recovery objectives and, ultimately, to be prepared to respond to ransomware or other destructive malware that encrypts or corrupts data, including backups.
Banks should have comprehensive resilience plans to respond not only to cybersecurity risks but also to a wide range of disruptive events that may need to be addressed concurrently, including technology-based failures, natural disasters, and, of course, pandemic outbreaks.
While efforts to strengthen operational resilience may not prevent a disruption from occurring, a pragmatic, well-constructed approach can help minimize the adverse effects of an operational disruption and enhance a bank's ability to withstand a disruption.
How should banks align their cybersecurity program with operational risk?
Cybersecurity is a key operational risk and should be integrated into a bank’s overall operational risk management program. This is especially important for banks with complex operating and technical environments.
An effective security and resilience framework requires coordination of physical and technical controls, which can help monitor process and response programs throughout the organization. This requires partnership and collaboration across business lines and coordination through a comprehensive risk management program, commensurate with the risk profile of the institution.
What types of risks are top of mind for the banking industry?
One of the top risks we have observed is an increase in the frequency and severity of disruptive and destructive cyberattacks, especially ransomware. While the overall number of successful attacks against banks is still relatively low, the frequency has been increasing over recent years.
Even with preventive controls in place, it may take only one system with weak authentication or unpatched vulnerability to fall victim to destructive malware attacks. To mitigate cyber risks, banks should adopt heightened threat and vulnerability monitoring processes. Moreover, they should implement more stringent security measures, including multifactor authentication and timely patch management. To improve operational resilience, banks should also deploy, regularly test and isolate system backups from network connections.
Increasing geopolitical tensions have further increased cyber concerns and highlighted the importance of heightened threat monitoring, greater public-private sector information sharing, and safeguarding against disruptive attacks targeting the financial sector. Given these increased operational risks, including risks from geopolitical threats, the Cybersecurity and Infrastructure Security Agency (CISA) has published a “Shields-Up” web page to promote awareness of current cybersecurity threats and mitigations.
Additionally, technological advances and innovation continue to spur the development of new products, services, and delivery channels, which can potentially increase complexity and third-party risk.
CISOs should communicate with their board or risk management teams regularly, and in a fulsome manner, to enable their employers to meet those expectations. This entails not only speaking about cybersecurity initiatives and metrics but also, more importantly, translating that data into a meaningful picture of how the program supports the core business and key priorities of the board.
As cybersecurity threats continue to evolve, the CISO must regularly communicate the potential impact of these risks to ensure the security program’s continued alignment with the bank’s strategy and risk appetite.
Christopher Hetner is a risk management expert with more than 25 years of experience in cyber risk, regulatory compliance and corporate governance. He currently serves as both an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury) and a special advisor on cyber risk to the National Association of Corporate Directors. Previously, he worked as the senior cybersecurity advisor to the Securities Exchange Commission Chairs Mary Jo White and Jay Clayton. He can be reached at firstname.lastname@example.org.