OCC’s Cybersecurity Regulatory Expectations: A Call to Action
Not surprisingly, cybersecurity remains a top examination priority for the Comptroller of the Currency (“OCC”). And that means national banks and federal savings associations – and their leadership teams – should be prepared for “heightened” focus by OCC examiners in critical areas of cybersecurity risk including banks’ third-party and vendor relationships.
“We can’t allow the federal banking system to be compromised by hackers or used by criminals or terrorists,” said Thomas J. Curry, Comptroller of the Currency, in a statement that accompanied the release of the OCC’s Semiannual Risk Perspective late last month. “We saw in the aftermath of the financial crisis that there is a price to be paid for ignoring compliance.”
Financial institutions under the OCC’s watchful eye should consider themselves warned.
The OCC Report identifies “operational risk” related to cybersecurity as elevated for a number of reasons including “the amount and pace of internally and externally initiated change, greater interconnectedness and interdependencies, increased sophistication of cyber threats, and pervasive technology vulnerabilities.” Underlying the OCC’s concerns is the fact that business operating models “are under increasing pressure as bankers seek to launch new products, leverage technology, reduce staffing, outsource critical activities, reengineer business processes, and partner with firms unfamiliar with the bank regulatory environment.” The demands for banks in adapting “risk management and control processes to these changing business strategies,” as well as the challenges of “incorporating resiliency considerations, including recovery from cyber events, into their overall governance, risk management, or strategic planning processes,” will, no doubt, continue to drive the OCC’s focus on cybersecurity safeguards and controls.
Until now, the OCC has provided limited practical guidance on how financial institutions can live up to regulatory expectations in the realm of data security. The Interagency Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, see 70 Fed. Reg. 15736, released in 2005 by the OCC, the Board of Governors of the Federal Reserve System (“Fed”), the Federal Deposit Insurance Corporation (“FDIC”), and Office of Thrift Supervision pursuant to regulations under Section 5 of the Gramm-Leach-Bliley Act, see also 12 C.F.R. Part 30, Appendix B (“Interagency Guidelines Establishing Information Security Standards”), provided a broad framework regarding institutional planning for information intrusions and response, including notice to customers. But in the OCC’s Report, the agency specified that, going forward, examiners will use the agency’s new Cyber Security Assessment Tool (“Tool”), in conjunction with other factors, to determine a bank’s ability to detect, prevent and respond to cyber threats. Though, perhaps, not the definitive guidance that the industry may be looking for, the Tool adds another analytical reference point to the cyber-regulatory regime.
The Federal Financial Institutions Examination Council (“FFIEC”) released the Tool in July 2015 to aid financial institutions in evaluating their cybersecurity risk profile and determining their level of cybersecurity preparedness. The FFIEC is an interagency body that promotes uniformity in the supervision of financial institutions. FFIEC members include the OCC, the Fed, the FDIC, the National Credit Union Administration, and the Consumer Financial Protection Bureau, as well as the State Liaison Committee, which represents state banking, savings institution, and credit union supervisors.
The Tool provides two levels of assessment. First, it contains five criteria on which banks evaluate their “inherent risk profile:”
• Technologies and Connection Types: Among other things, the number of internet service providers and third-party connections the institution maintains, whether systems are hosted internally or externally, the extent of cloud services, and the use of personal devices.
• Delivery Channels: An institution’s product and service delivery channels, such as online, mobile and automated teller machine operations.
• Online/Mobile Products and Technology Services: The products and services offered by the institution, including various payment services, person-to-person payments, and global remittances. Additionally, this category considers whether the institution provides technology services to other organizations.
• Organizational Characteristics: Aspects of the institution’s business such as mergers and acquisitions, changes in the institution’s information technology environment, the number of direct employees and cybersecurity contractors, the number of users with privileged access, and locations of business data centers.
• External Threats: The volume and sophistication of cyberattacks targeting the institution.
A bank’s inherent risk profile is ranked on a scale from “least” risk to “most” risk, using 14 different factors for each of these risk categories.
After determining its Inherent Risk Profile, an institution uses the second level of the assessment to determine the institution’s level of “maturity” for cybersecurity preparedness within each of the following five areas:
• Cyber Risk Management and Oversight: Oversight by the institution’s Board of Directors and management’s implementation of an effective cybersecurity program with comprehensive policies and procedures, sufficient resources, and proper training;
• Threat Intelligence and Collaboration: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties;
• Cybersecurity Controls: Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring;
• External Dependency Management: External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and information; and
• Cyber Incident Management and Resilience: Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.
A bank’s “maturity” ranking from “baseline,” at the low end of the scale, to “innovative,” at the high end, provides a measurement of the controls available to manage risks identified in a financial institution’s risk profile.
Beyond specifying that examiners will make use of the Tool to assess an institution’s cybersecurity readiness, the OCC does not provide further guidance on what role the Tool will play in the results of its examinations, nor what examiners will be looking for in a bank’s own analyses of its systems within the Tool’s parameters. The structure of the Tool, however, as well as its rubric of considering comparative risk relative to an institution’s cyber “maturity,” signals that one broad consideration will likely be the gap between an institution’s inherent risk and maturity analysis, i.e., the extent to which an individual bank’s cybersecurity systems, processes, policies, and procedures are consistent with its self-described risk profile. So, for example, if a bank considers its risk profile to be at the high end of the Tool’s spectrum, the OCC may expect to see cybersecurity policies and systems commensurate with such a risk profile.
It is clear that 2016 will be a year of increased regulatory scrutiny for financial institutions. The more challenging question is whether 2016 will also be the year of increased supervisory or enforcement actions against institutions that don’t heed Comptroller Curry’s call to action.