Views on Cyber Attack Risk by the Comptroller of the Currency

By Jennifer Daniels

On September 18, the Comptroller of the Currency gave remarks before the Exchequer Club in Washington regarding the risks posed by cyber attacks, which the Comptroller said “have the potential to be as destructive of the financial system as the excess of the mortgage and securitization markets.”  The Comptroller explained that, if the risks posed by increasingly sophisticated and frequent attacks go unchecked, they could threaten the reputation of the country’s financial institutions, as well as public confidence in the system.  He echoed the Administration’s desire, reflected in the President’s Executive Order on Cybersecurity, for increased awareness, better information sharing, and collective response.

The Comptroller noted that the trend is toward more technology, including the use of cloud computing, social media, mobile banking, and new payment solutions.  As many companies know, each new opportunity brings expanded exposure.

The Comptroller echoed the Administration’s call to work together, and noted the efforts underway to do so, including the work being done by the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity and Critical Infrastructure Working Group.  The Comptroller expressed the importance of sharing information and augmenting relationships between regulators, law enforcement, and the intelligence communities regarding the threats being seen and the best practices to address them.

The Comptroller noted a particular concern for community banks and thrifts, explaining that smaller players allow a point of access into the system and may have less sophisticated defenses than larger banks.  Understandably, smaller banks often rely on third party vendors to support their IT functions and security, and may not have the expertise to identify and mitigate vulnerabilities.  So, the Office of the Comptroller of the Currency (“OCC”) is devoting increased resources to community banks and thrifts and has increased outreach to such smaller organizations.  The Comptroller noted that the OCC is communicating to banks and thrifts that it is important for them, at the board and senior management level, to be aware and engaged and understand the risks, so that there is a culture of risk management from the top.  Again, the Comptroller encouraged communication among institutions, both large and small, and with the relevant government agencies.

In general, the Comptroller emphasized that this is not a problem that can be addressed by one agency or one institution acting alone.