Banking Exchange Magazine Logo

Comptroller cites many faces of cyberfraud

Latest risk report paints cyber as key operational risk source

  • |
  • Written by  Website Staff
  • |
  • Comments:   DISQUS_COMMENTS
Comptroller cites many faces of cyberfraud

Cybersecurity risks represent a key concern of the Comptroller of the Currency, according to the agencies latest Semiannual Risk Perspective.

The report, unveiled last week, dwelled at length on credit issues, but also covered many operational and other risks facing the banking industry. Among the ranking concerns was cybersecurity, arising both directly and through banks’ exposures to third parties.

Testimony to the many sources of cyberrisk today was the broad listing of types of exposure listed by the agency.

OCC’s list included:

Insidious attacks. Extortion demands, where criminals threaten bank systems or critical files, represent a key exposure. These scams are also known as “ransomware.” Criminals threaten to cripple institutions unless they deliver payment in virtual currency. OCC cited figures from McAfee Labs indicating that ransomware samples rose 26% from the third quarter 2015 to the fourth quarter 2015.

Reinvented money. New wrinkles such as virtual currencies that pack a double punch threaten banks. First, they can provide anonymity and an easy way to launder funds for wrongdoers, the agency said, impact bank BSA/AML duties. Second, and more directly impacting banks, they can enable cyber criminals to raise money to back physical and cyber attacks.

Exposure through customers. The “business email compromise” or BEC attack uses social engineering to set up false requests for company funds transfers. OCC cited FBI figures indicating that BEC attacks caused over $2.3 billion in losses from October 2013 to February 2016. 

Open—to problems. “In the last several years, the number of reported critical vulnerabilities in widely used technology, such as open-source software, has increased. These vulnerabilities are often difficult to remediate because of the potential effect on significant numbers of third-party and internally developed applications, systems, and services.”

Old reliables like phishing attacks on employees, customers, and third parties can provide an entry point for criminals. One gambit is using phishing to push malware into bank systems.

Attacks on interbank networks and wholesale payments systems—such as the problems experienced by SWIFT (not named in the report).

Risk of missed exposures. “Business operating models are under increasing pressure as banks seek to launch new products and services directly or through third parties, leverage technology, implement systems to comply with new rules, reduce staffing, outsource critical activities, reengineer business processes, and partner with firms unfamiliar with the bank regulatory environment,” the report stated. “Banks may not always adapt risk management and control processes to these changes in business strategy.”

Risk of untimely responses. While the best result is to avoid falling into a trap, the next best is a quick recovery. OCC cited the risk that banks may not adequately support recovery in their governance, risk management, and strategic planning processes.

Too many eggs in one basket. While banks outsource and partner more and more operations, risk management becomes more challenging. Concentration risk, long discussed in regards to credit, when seen in an operational risk form, also becomes an issue when multiple processes may reside with common providers.

Attacking the defenders. Cybercriminals aren’t dumb, so they are attacking integral players.

“Cyber attacks continue to target companies that provide cybersecurity risk-mitigation products and services to banks, potentially amplifying the breadth of affected institutions through a common access point,” the report stated.

back to top


About Us

Connect With Us


Webinar: From KYC to IDV

How three leading banks are utilizing cutting-edge
digital tools to onboard, win, and wow customers

Time/Date: June 23, 2021 11:00 a.m. ET

Digital adoption, already moving at warp speed, accelerated seven years into the future during the COVID-19 pandemic. As the number of bank branches continues to fall, with at least one study predicting all branches will disappear by 2034 (Fox Business) and foot traffic declining (Vox), today’s most innovative banks are charting a new, digital-first path to win over customers while increasing security, meeting KYC compliance requirements, and winning customers to drive revenue.

In this webinar, you’ll hear from John Baird, Founder & CEO of Vouched, Tyler Crawford, COO of Bankers Healthcare Group, Anand Sathiyamurthy, CPO of Flagstar Bank and Daniel Sheehan, Chairman & CEO of Professional Bank as they describe their vision for digital transformation and how customer expectations are changing to digital first. They’ll also explore how fostering an innovation mindset creates new ways to tackle complex KYC problems and allows them to quickly compete in new markets and win customers.


This webinar is brought to you by:
Vouched Logo