New cyber security tool in works by OCC

The Office of the Comptroller of the Currency plans to issue “soon” what it calls a “cyber security assessment tool” with which financial institutions can evaluate their inherent cyber security risk.

Comptroller of the Currency Thomas Curry said in a speech to the BITS Emerging Payments Forum in Washington, D.C., that the tool should help shape banks’ risk management capabilities—including those in existing and emerging payment areas. It’s intended to shed light on how well cyber security measures already undertaken comport with the bank’s cyber security risks.

“I want to emphasize that the assessment tool is exactly that. It is a tool to help banks, particularly community banks, to defend against cyber security threats,” said Curry. “Those threats are real and they are unlikely to abate anytime soon. In fact, they are more likely to increase.”

Added Curry, for the skeptical: “I would caution against anyone viewing this effort and the OCC’s complementary cyber security examination program as an unnecessary regulatory burden. The time to act is now.”

The tool, he said, was developed based in part on data obtained by a joint assessment of cyber security preparedness at 500 institutions last year by bank regulatory agencies. Another offshoot of that effort was the strong recommendation by the Federal Financial Institutions Examination Council that banks of all sizes should participate in the Financial Services Information Sharing and Analysis Center, a nonprofit forum intended to facilitate the sharing of physical and cybersecurity threat and vulnerability information.

“One of the lessons we have learned in the bank regulatory community is that collaboration is vital, especially in dealing with highly complex, rapidly evolving challenges like cyber security,” Curry said. “I’m referring not only about collaboration and cooperation among the banking agencies, but also among financial providers.”