Written byPatrick Howell O'Neill
Cybersecurity is the top priority for the office charged with regulating and supervising all banks in the U.S., according to the newly released bank supervision operating plan for 2018 from the Treasury Department’s Office of the Comptroller of the Currency.
The declaration comes amid an environment where attackers are multiplying and the threat surface is rapidly expanding. Experts expect the reaction from banks to be greater focus and spending on cybersecurity.
“Cyber threats are increasing in speed and sophistication,” Comptroller of the Currency Keith Noreika said earlier this year in an OCC Risk Perspective. “These threats target large quantities of personally identifiable information and proprietary intellectual property and facilitate misappropriation of funds at the retail and wholesale level. Phishing is a primary method for breaching data systems and is often the entry mechanism to perpetrate other malicious activity, such as installing ransomware, accessing confidential information, compromising internal systems to effect payments, or conducting espionage.”
One area sure to receive attention is financial institutions’ relationships with third-party vendors providing legal, technology and business services. A new report published Thursday from the cybersecurity firm BitSight shows that companies in banks’ supply chain do not meet the security standards banks hold themselves to more often than not. By focusing on vendors, researchers found outdated, unsupported and highly vulnerable machines all over the financial industry’s ecosystem.
Examining banks’ relationships with their vendors is one of the focuses specifically called out in the OCC’s new operating plan.
“It’s about time,” Simon Bain, CEO of the security’s firm BOHH, told CyberScoop. “Currently, we are seeing institutions continuing to ignore security threats and taking a lazy, lip service approach to them.”
Bain expects an uptick in cybersecurity spending from financial institutions.
“What will be interesting is to see where banks and financial institutions will spend their money,” he said. “I think the spending will go in to two major places: threat detection, inside the network where bad actors are trying to access and also threat prevention, looking at how to stop a bad actor from jumping onto the network in the first place and getting access to data.”
The banking industry faces tighter controls from both outside regulators and inside the industry. After losing hundreds of millions of dollars to attacks against SWIFT, the global network banks used to transfer money between one another, regulators began this year to enforce mandatory security controls to beef up defenses against an increasing host of hacker successes against the financial world. Although they once faced only organized crime, North Korea’s recent cyberattacks against international banks has changed the landscape dramatically.
“Directly stealing money out of bank accounts is something that has not traditionally been the purview of nation-states,” Jon Condra, director of East Asian research and analysis at the threat intelligence firm Flashpoint, told CyberScoop earlier this year “This has been an interesting twist in the APT saga coming out of the East Asian region.”
The Financial Services Information Sharing and Analysis Center (FS-ISAC) is considered to be one of the most active and effective analysis centers in private industry.
The OCC operating plan lays out what the agency will focus on in its supervisory role over all national banks, federal savings associations, federal branches and agencies of foreign banks.
Earlier this year, the OCC’s plans to impose stricter cybersecurity rules for the finance industry met stiff resistance. Rule-makers in New York state and at the Federal Trade Commission have faced similar push-back on regulation.
Cybersecurity has long been in the OCC’s focus but the raised priority level means banks will receive greater scrutiny on information security, data protection, third-party risk management and risks associated with third-party relationships. OCC examiners use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool.
You can read OCC’s supervision operating plan below: