As ransomware and other destructive cyberattacks continue to inflict major losses, and as banks move toward digitization and a rising reliance on third-party suppliers, the exposure of the financial services industry to a variety of complex cyber risks will likely only increase.
It is therefore incumbent upon banks to proactively identify, measure and manage the risk of cyberattacks, which range from ransomware to phishing-type scams to business email compromise (BEC) schemes. Otherwise, they risk becoming part of an alarming forecast for global cybercrime damages.
Through its Examinations Program, the Office of the Comptroller of the Currency (OCC) has developed a comprehensive plan for addressing and reducing cyber risk across the banking sector.
Patrick Kelly, Director for Critical Infrastructure Policy, OCC
Recently, to learn more about the OCC’s perspective, we spoke with Patrick Kelly, the regulator’s Director for Critical Infrastructure Policy. Kelly shared his insights on a multitude of issues, including the best approach to cyber resilience; the most practical strategy for aligning cybersecurity with operational risk; and the steps CISOs can take to explain and effectively communicate cyber risks to senior management and the board.
What’s the OCC’s view on achieving resilience, both from cyber and operational perspectives?
The OCC views cybersecurity and operational resilience as top issues for the federal banking system. To support banks in their cybersecurity preparedness efforts, we have regularly published resources for industry, including the FFIEC Cybersecurity Assessment Tool, the FFIEC IT Handbook, and statements addressing heightened cyber risk.
Destructive malware introduced into a financial institution’s systems has the potential to alter, delete or otherwise render production data and systems unusable. Depending on the scope of the attack, the type of backup processes used and other controls employed, data and system backups may be similarly affected in a destructive cyberattack.
These scenarios should be a key driver for continuity and resiliency planning. Key considerations include maintaining system backups, either on segmented portions of the network or through offline tools like tape media.
Another key component is regularly testing recovery capabilities to ensure that they are operating as intended, to meet recovery objectives and, ultimately, to be prepared to respond to ransomware or other destructive malware that encrypts or corrupts data, including backups.
Banks should have comprehensive resilience plans to respond not only to cybersecurity risks but also to a wide range of disruptive events that may need to be addressed concurrently, including technology-based failures, natural disasters, and, of course, pandemic outbreaks.
While efforts to strengthen operational resilience may not prevent a disruption from occurring, a pragmatic, well-constructed approach can help minimize the adverse effects of an operational disruption and enhance a bank's ability to withstand a disruption.
How should banks align their cybersecurity program with operational risk?
Cybersecurity is a key operational risk and should be integrated into a bank’s overall operational risk management program. This is especially important for banks with complex operating and technical environments.
An effective security and resilience framework requires coordination of physical and technical controls, which can help monitor process and response programs throughout the organization. This requires partnership and collaboration across business lines and coordination through a comprehensive risk management program, commensurate with the risk profile of the institution.
What types of risks are top of mind for the banking industry?
One of the top risks we have observed is an increase in the frequency and severity of disruptive and destructive cyberattacks, especially ransomware. While the overall number of successful attacks against banks is still relatively low, the frequency has been increasing over recent years.
Even with preventive controls in place, it may take only one system with weak authentication or unpatched vulnerability to fall victim to destructive malware attacks. To mitigate cyber risks, banks should adopt heightened threat and vulnerability monitoring processes. Moreover, they should implement more stringent security measures, including multifactor authentication and timely patch management. To improve operational resilience, banks should also deploy, regularly test and isolate system backups from network connections.
Increasing geopolitical tensions have further increased cyber concerns and highlighted the importance of heightened threat monitoring, greater public-private sector information sharing, and safeguarding against disruptive attacks targeting the financial sector. Given these increased operational risks, including risks from geopolitical threats, the Cybersecurity and Infrastructure Security Agency (CISA) has published a “Shields-Up” web page to promote awareness of current cybersecurity threats and mitigations.
Additionally, technological advances and innovation continue to spur the development of new products, services, and delivery channels, which can potentially increase complexity and third-party risk.
Banks should therefore have new product assessment and risk management processes commensurate with the risks posed by the implementation of new products and activities. Where third-party relationships are engaged, banks should also have appropriate due diligence and oversight of these third parties, to monitor and analyze the impact they may have on overall operational resilience.
How can bank CISOs effectively communicate the business and financial impacts of cyber risk to risk management teams and boards?
The OCC has well-defined expectations related to independent risk management and board-of-director communications. This includes independent risk management expectations for large financial institutions and Gramm–Leach–Bliley Act requirements for bank boards to approve and oversee the development, implementation and maintenance of the bank’s information security program.
CISOs should communicate with their board or risk management teams regularly, and in a fulsome manner, to enable their employers to meet those expectations. This entails not only speaking about cybersecurity initiatives and metrics but also, more importantly, translating that data into a meaningful picture of how the program supports the core business and key priorities of the board.
As cybersecurity threats continue to evolve, the CISO must regularly communicate the potential impact of these risks to ensure the security program’s continued alignment with the bank’s strategy and risk appetite.
Christopher Hetner is a risk management expert with more than 25 years of experience in cyber risk, regulatory compliance and corporate governance. He currently serves as both an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury) and a special advisor on cyber risk to the National Association of Corporate Directors. Previously, he worked as the senior cybersecurity advisor to the Securities Exchange Commission Chairs Mary Jo White and Jay Clayton. He can be reached at email@example.com.