Cybersecurity risks represent a key concern of the Comptroller of the Currency, according to the agencies latest Semiannual Risk Perspective.
The report, unveiled last week, dwelled at length on credit issues, but also covered many operational and other risks facing the banking industry. Among the ranking concerns was cybersecurity, arising both directly and through banks’ exposures to third parties.
Testimony to the many sources of cyberrisk today was the broad listing of types of exposure listed by the agency.
OCC’s list included:
• Insidious attacks. Extortion demands, where criminals threaten bank systems or critical files, represent a key exposure. These scams are also known as “ransomware.” Criminals threaten to cripple institutions unless they deliver payment in virtual currency. OCC cited figures from McAfee Labs indicating that ransomware samples rose 26% from the third quarter 2015 to the fourth quarter 2015.
• Reinvented money. New wrinkles such as virtual currencies that pack a double punch threaten banks. First, they can provide anonymity and an easy way to launder funds for wrongdoers, the agency said, impact bank BSA/AML duties. Second, and more directly impacting banks, they can enable cyber criminals to raise money to back physical and cyber attacks.
• Exposure through customers. The “business email compromise” or BEC attack uses social engineering to set up false requests for company funds transfers. OCC cited FBI figures indicating that BEC attacks caused over $2.3 billion in losses from October 2013 to February 2016.
• Open—to problems. “In the last several years, the number of reported critical vulnerabilities in widely used technology, such as open-source software, has increased. These vulnerabilities are often difficult to remediate because of the potential effect on significant numbers of third-party and internally developed applications, systems, and services.”
• Old reliables like phishing attacks on employees, customers, and third parties can provide an entry point for criminals. One gambit is using phishing to push malware into bank systems.
• Attacks on interbank networks and wholesale payments systems—such as the problems experienced by SWIFT (not named in the report).
• Risk of missed exposures. “Business operating models are under increasing pressure as banks seek to launch new products and services directly or through third parties, leverage technology, implement systems to comply with new rules, reduce staffing, outsource critical activities, reengineer business processes, and partner with firms unfamiliar with the bank regulatory environment,” the report stated. “Banks may not always adapt risk management and control processes to these changes in business strategy.”
• Risk of untimely responses. While the best result is to avoid falling into a trap, the next best is a quick recovery. OCC cited the risk that banks may not adequately support recovery in their governance, risk management, and strategic planning processes.
• Too many eggs in one basket. While banks outsource and partner more and more operations, risk management becomes more challenging. Concentration risk, long discussed in regards to credit, when seen in an operational risk form, also becomes an issue when multiple processes may reside with common providers.
• Attacking the defenders. Cybercriminals aren’t dumb, so they are attacking integral players.
“Cyber attacks continue to target companies that provide cybersecurity risk-mitigation products and services to banks, potentially amplifying the breadth of affected institutions through a common access point,” the report stated.