Regulator Hints at New Cyber GuidanceOCC Deputy Pushes for Collaboration Between Merchants, Banks
Just days after the Federal Financial Institutions Examination Council outlined new business continuity expectations related to managing cyber-risks, an Office of the Comptroller of the Currency's deputy further defined how emerging cybersecurity risks facing payments and mobile transactions could adversely affect banks (see FFIEC Issues Cyber-Resilience Guidance).
During her Feb. 11 speech before The Clearing House's Operational Risk Colloquium in Washington, Deputy Comptroller Beth Dugan hinted that more cyber-related guidance, such as best practices for how banking institutions should address cyber-attacks waged against payments like ACH and mobile, could be on the way.
And while Dugan did not explicitly say new guidance for payments and mobile was pending, the tone of her discussion suggested new guidance may be forthcoming.
"I can tell you without hesitation that the risks to banks from cyberthreats and vulnerabilities are significant," she said. "The severity of cyberthreats is escalating rapidly, and attackers are exhibiting an increasing ability to exploit vulnerabilities in commonly used infrastructure. While the impact on financial service firms has been relatively limited so far, as we see from experience in other industry sectors, there is a growing possibility for materially severe attacks on banks or the infrastructure on which they depend."
What Dugan did say is that regulators' response to the FFIEC's cybersecurity assessment program, which was piloted over the summer at 500 community banks and credit unions, is still in its "early" stages.
So far, the OCC has come out with best practices and guidelines for a number of cyber-risks, including vulnerabilities posed by third-party relationships and the need for more C-level involvement in cybersecurity decision making.
On Feb. 6, the FFIEC announced the addition of a new appendix to its Business Continuity Planning Booklet, which is part of the FFIEC's IT Examination Handbook. The addition marked the first time the term cyber-resilience had been used in a regulatory publication.
Now the regulators' cybersecurity focus, Dugan suggested, could turn to setting expectations for how banking institutions respond to emerging cyber-risks related to the interconnectedness of the payments and banking landscapes.
She said banking institutions and other industry segments, such as retail and payments, are closely intertwined, "not only through the infrastructure upon which they rely, but also as a result of third-party relationships that have become increasingly important to bank business models." And she said shared infrastructure and the interconnectedness of banking and third-party systems and devices pose increasing risks, alluding to the fact that banking regulators in coming months will do more to address those risks through best practices for risk monitoring, risk assessment and risk awareness.
Tom Kellermann, chief cybersecurity officer of security firm Trend Micro, says Dugan's comments about why enhanced cybersecurity has to hinge on stronger collaboration represent a promising first step toward building a stronger infrastructure that meets the needs of banks, payments providers, merchants and others.
"It is about time," Kellermann says. "The safety and soundness of the sector is at stake."
Parallel Risks to Payments and Banking
Dugan, in her speech, outlined the concerns related to cyber-attacks facing both the payments and banking industries, reiterating the need for more information sharing across sectors and a greater focus on inter-related operational risks.
She praised the steps that The Clearing House, which provides core payment systems that clear and settle nearly $2 trillion daily, has taken to improve information sharing between merchants and banks. Dugan also noted how The Clearing House's steps have resembled those taken by the FFEIC, in the wake of last summer's pilot cyber-exam program.
"The Clearing House helped launch a year ago this month a partnership between trade associations representing the merchant and financial services industries to explore paths to increased information sharing, better card security, and maintaining the trust of customers," Dugan said. "Financial institutions - and other industry sectors - are interconnected, not only through the infrastructure upon which they rely, but also as a result of third-party relationships that have become increasingly important to bank business models."
Jordan Lampe, director of policy affairs for Dwolla, an online payment system and mobile payments network provider, says banking regulators, The Clearing House and the Federal Reserve System are focused on making infrastructure improvements that help banking institutions, payments providers and others share information about emerging and existing cyber-attacks more readily.
"As the Federal Reserve looks to launch its industry working groups for an improved payments system, I would assume these voices will aggregate and be represented in the Security Task Force," Lampe says.
The formation of a Payments Security Task Force is one initiative the Fed is spearheading as part of its payments system overhaul to facilitate faster, and in some cases real-time, domestic and international payments (see Fed's Payments Overhaul on Fast Track).
"The current infrastructure just isn't equipped to provide sufficient, timely and actionable data to its stakeholders," Lampe says. "Today's technologies benefit from synchronous, real-time information between multiple platforms, which helps the entire ecosystem identify and mitigate fraud."
But when the entire ecosystem is not held to the same cybersecurity standard, the ecosystem is weakened, he adds. "Not having such a connective communication tissue to the one of the economy's most systemically important networks, ACH, creates challenges for its stakeholders, which are becoming increasingly digital in nature."
Pitfalls of Interdependencies and Inter-relations
The need for more focus on risks associated with payments and third-party affiliates, such as merchants, vendors, service providers, etc., has been called out numerous times by regulators over the past six months.
In August, the OCC, as the FFIEC's lead agency, issued an updated version of its Merchant Processing booklet to specifically address high-risk merchants and third party risks (see OCC: More Third-Party Risk Guidance).
In November, representatives from the Federal Deposit Insurance Corp., one of the FFIEC's regulatory agencies, said during a community banking advisory committee meeting that more regulatory focus was going to be paid to third-party dependencies (see FDIC: What to Expect in New Guidance).
4 Notable Threats
Dugan pointed out four areas where cyber-risks are posing greater concern:
- The compromise of credentials through phishing attacks and drive-by downloads from commonly visited websites infected with malware;
- Ransomware attacks targeting consumers through mobile devices;
- The destruction of data and systems;
- Infrastructure vulnerabilities, such as the Bash bug and the OpenSSL bug known as Heartbleed, that cybercriminals are sharing information about and selling in the underground.
"Financial institutions' exposure to cyberthreats and vulnerabilities has increased as a result of every third party and customer link into their systems," Dugan said.
Banks and credit unions must expand their cyber-resiliency by testing network/system disruption and/or cyberattack scenarios that could impact them as well as the outside parties on which they depend, she said.
This need for cyber-resilience was the cornerstone the FFIEC's new appendix to the Business Continuity Planning Booklet.