Greater Awareness, Greater Security

Q&A on cyber security with the OCC’s Valerie Abend

By Valerie Abend

The Office of the Comptroller of the Currency is working with community bankers to increase awareness about cyber threats. Valerie Abend, the OCC’s senior critical infrastructure officer, provides some insights on how community banks can prepare to defend against those increasing threats.

Q: Why is the OCC reaching out to community banks about the risks from cyber attacks?

Abend: We are concerned with the growing frequency and sophistication of cyber threats facing all banks; however, we also understand that cyber attackers may increasingly target community banks if they perceive smaller institutions as less able to protect themselves. We want to make sure that community bankers understand that they are also potential targets.

Q: What is the possibility thatcyber attacks will impact community banks?

Abend: Trends indicate that attackers realize that smaller organizations often don’t have the necessary resources to defend themselves. A recent Symantec study reported that in 2012 half of attacks launched were aimed at businesses with fewer than 2,500 employees, and the largest growth area was attacks launched at businesses with fewer than 250 employees.

Q: Why are cyber threats becoming more pervasive?

Abend: There are three primary reasons. First, the number of cyber attackers is growing, facilitated by the low cost of developing or finding the tools to mount attacks and the ability to conduct attacks from anywhere.

Second, vulnerabilities are increasing. Adoption of new technology—social media, mobile applications and devices, cloud computing—is occurring faster than bankers can identify and control for vulnerabilities.

Third, banks depend on systems, such as Internet Service Providers, outside of their direct control so they can’t always validate that vulnerabilities are identified and mitigated. Since much of the infrastructure that banks depend upon is interconnected, there is the potential that an attack on one network could affect many organizations.

Q: What should community banks do to defend themselves?

Abend: As a first step in preparing to defend against the cyber threat, community bankers need to understand the inherent risk in their operational environments. Start by conducting a comprehensive risk assessment that: 1) identifies internal assets and processes, 2) describes internal and external threats to themselves, third parties and the sector as a whole, and 3) outlines their vulnerabilities to these threats.

Once inherent risks are understood, test and determine the quality of internal controls to determine residual risk and reveal gaps.

The assessment should answer with confidence:

  • What are your critical internal and external systems? How resilient are these systems?
  • Where does your confidential data reside?
  • Who can access your systems and data?
  • Are you vulnerable to attack? How do you know?
  • If you are attacked, how effective will your incident response plans be?
  • Are your system and security controls effective?
  • Are your third-party providers secure and resilient?

Based on the risk assessment, banks may need to update or add controls, engage new expertise, train existing employees or pursue an innovative technical solution.

Q: How should community banks consider the risk management expectations associated with cyber threats?

Abend: The OCC’s and consumers’ risk management expectations are the same. Community bankers need to ensure the confidentiality, integrity and availability of their data, and the systems that process the data.

Community bankers’ ability to manage these expectations often depends upon their third-party providers. Third-party relationships, particularly relationships with technology service providers, are important to community bankers’ ability to deliver products and services. However, due to the interconnected nature of networks and the high level of dependency on these providers, community bankers need to consider their third parties’ operational risk exposure and ability to mitigate these risks.

Q: What is some practical advice for community banks to prepare in the event of a cyber attack?

Abend: Community bankers need to prepare before they experience a cyber attack by developing and testing incident response plans. Plans should be integrated, flexible and enterprise-wide. They should include a multidisciplinary approach to dealing with potential impacts, including customer impacts, reputation harm and impacts to third parties. They should consider pre-arranging for risk mitigation services so that they aren’t trying to arrange for services during an attack.

It is also important that community bankers understand their connectivity to and dependence on third parties. They should understand the risks posed by their third-party providers and incorporate their third parties in their plans.

One of the most important lessons learned from cyber attacks is the importance of sharing information. Public-private partnership organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), have helped community bankers learn about cyber attacks and risk mitigation tactics.

Additionally, develop relationships with law enforcement so that they have a pre-established point of contact in the event of an attack.

Along with the ability to identify, prevent and respond to cyber threats, it is important that community banks maintain a strong security culture that is communicated from the top of the organization. This requires management’s consistent communication of security policies, governance and practices, ensuring accountability when considering strategic decisions that may impact the bank’s risk profile.

Q: What is the OCC doing?

Abend: We are taking an active role in addressing the risks posed by cyber threats. We spearheaded the creation of the new Cybersecurity & Critical Infrastructure Working Group under the FFIEC’s Task Force on Supervision and we are working actively with other Federal agencies including the Department of Homeland Security, the FBI, the U.S. Secret Service and the broader intelligence community.

We are also engaging the private sector through our outreach and through the public-private partnership and have organized classified briefings for bankers, examiners and technology service providers. We also issued an alert on Distributed Denial of Service attacks and are reviewing our policies, procedures and training to ensure that, as cyber threats evolve, all banks are poised to effectively identify the risks and strengthen their risk management and control systems.

Q: How can community banks obtain information and become more proactive?

Abend: There are several resources available. For example, joining Financial Services—Information Sharing and Analysis Center (FS-ISAC) can be valuable. Community bankers can also look to state and national banking organizations where experts offer information to mitigate exposure to cyber threats.

The OCC encourages community bankers to contact their OCC portfolio manager or assistant deputy comptroller when seeking guidance.