-
Regulators are paying increasing attention to cyberthreats facing financial institutions, but many bankers are only just beginning to notice.
June 28 -
White House efforts to promote voluntary sharing of information about cyber threats among banks represent "an important step" but a presidential directive cannot substitute for a law, Treasury Secretary Jack Lew said.
June 20 -
The White House says the nation needs new laws to reinforce its cyber defenses but that the push should not come at the cost of privacy.
May 2
WASHINGTON Comptroller of the Currency Thomas Curry has asked a recently formed team of federal financial regulators to determine if supervisors are prepared to deal with cyber threats and whether more legislation is needed to confront the issue.
In a speech before the Exchequer Club on Wednesday, Curry pointed to an interagency task force he created in June to look at cybersecurity. The team, operating through the Federal Financial Institutions Examination Council, is beginning to implement parts of President Obama's recent executive order on the subject as well as look for whether banks and their regulators are appropriately dealing with it.
"We need to be sure we are taking full advantage of the authority we already have over both financial institutions and service providers," said Curry in his prepared remarks. "But if we determine that legislation is needed to fill gaps in our authority, I can assure you that we will move promptly to raise our concerns to Congress."
The task force, which Curry created shortly after becoming chairman of FFIEC in April, has already been meeting with law enforcement officials about ways the industry can better prepare for a cyber attack.
The Treasury Department is also interested in the topic. Treasury Secretary Jack Lew said in June that businesses, including banks, should support information sharing about cyber threats and promoted new legislation that would protect such sharing.
Curry's remarks, however, were focused on how regulators can better share information with each other.
"We need to identify and address gaps in the landscape of federal and state bank examination policies related to cybersecurity and critical infrastructure resilience," he said.
Regulators are concerned that banks are opening themselves up to more advanced cyber attacks as they offer new products through online avenues such as cloud computing, mobile banking and social media. The risks are amplified when institutions use third-party providers to support banks' systems and business activities.
"Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system," Curry said. "Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organizations at one time."
While cybersecurity has been an ongoing concern for regulators, larger banks have so far thwarted any massive attack. Curry acknowledged this, saying he believed the banking system is "prepared" to combat cyberattacks and the OCC has "teams of examiners" focused on IT security issues at the largest banks.
But smaller banks remain a big concern for the OCC, Curry said, because it is easier for hackers to invade their systems. The OCC recently held a public webinar on the issue with community banks as well as several classified briefings with banks, vendors and examiners.
"The OCC stands ready to help the institutions we supervise in any way we can. We will participate actively in our public-private partnerships, and we will work to raise awareness among the banks we supervise through teleconferences and other outreach events. We will disseminate guidance, working papers and other information, and will leverage expertise provided by our information technology, operational risk, and governance specialists during examinations," Curry said. "But this is not a problem that can be addressed by one agency alone or by any one institution acting on its own. It is a threat that we can deal with only if we work together in a collegial and collaborative way for the good of our country."
In his remarks, Curry repeatedly called for the regulators to work more closely together in sharing information amongst agencies, not just with enforcement and intelligence officials. He also is seeking better communication about incidents and coordination among regulators on domestic and international issues.
"Clearly, much of the responsibility for assessing cyber threats is housed in other agencies, from the Department of Homeland Security to the FBI to the National Security Agency. They are on the front lines, and they are the ones that are doing the most within government to identify, evaluate, and respond to threats in this area," Curry said. "However, we the OCC, the FFIEC, and the other regulatory agencies individually are working closely with them to strengthen the coordination and overall effectiveness of government's approach to cybersecurity of critical infrastructure."