From: Risk.net
Author: Jessica Meek
US community banks face a growing threat of cyber attack, the US Office of the Comptroller of the Currency (OCC) has warned. The regulator says the growing sophistication and persistent nature of attacks are its key concerns.
Norine Richards, national bank examiner at the OCC, says that community banks must take action and ensure that the techniques they use to protect against cyber threats are comprehensive and effective.
“I want to stress that although many of the defences needed are IT-centric, banks must approach preparedness with a bank-wise or enterprise view. The threat environment and operational risk faced by community banks is very different and is constantly changing.”
She points out that for this reason community banks need to ensure that their processes are well defined and that bank employees clearly understand their role regarding successful implementation and continued effectiveness processes.
She also raises concerns about the risks posed to community banks by their vendors and service providers. “[Community banks must] remember to look beyond their internal operations to external stakeholders and be sure that the security-orientated culture extends to everybody,” she says.
Further, she warns that community banks should be especially diligent when contemplating relationships with third-party servicers which have no prior experience with financial institutions or are small start-up companies. “These servicers may not be fully aware of regulatory expectations or may not set operating standards that mirror your expectations,” she points out.
There is also the question of reputational risk, Richards points out. Because services have become more complex and relationships among third parties less transparent, community banks must be aware of the reputational implications they could be exposed to. “When considering cyber threats, it is imperative that management understand clearly what a breach of their operation means to [their] bank and [their] customers.”
This is not the first time the OCC has warned of the reputational implications that come with service providers. In May, Carolyn DuChene, deputy comptroller for operational risk at the OCC, told Operational Risk & Regulation that banks should not forget that their reputation is their most valuable asset – and when a service provider service provider fails to perform or treats a customer badly, the customer doesn’t hold the servicer accountable, but the bank.
“In most cases, the customer does not know about the servicer’s existence. The customer holds the bank accountable. This is one of the reasons why a bank needs to do a comprehensive risk assessment before it engages in outsourcing,” she said.
A special report on the cyber threat will appear in the July issue of Operational Risk & Regulation.
Leave a Reply