Category Archives:Cyber-Attacks

Risks & Opportunities Facing Financial Services

Comptroller of the Currency Thomas J. Curry recently discussed risks and opportunities facing financial services during remarks before the New England Council in Boston, MA. During his speech, the Comptroller commented on interest rate risk, compliance risk, cybersecurity, and the role collaboration can play in mitigating these risks. He also discussed opportunities to improve business operations as well as service to customers.

More specifically, Curry emphasized that the inevitable rise in interest rates could greatly affect loan quality, particularly loans that were not carefully underwritten to begin with, and that ”loans that are typically refinanced, such as leveraged loans,” would be particularly severely affected. The final and “perhaps the foremost risk facing banks today,” according to Curry, is cyber threats. Curry outlined the agency’s efforts to curtail cyber intrusion in the banking industry, highlighting the June 30 release of its Semiannual Risk Assessment . Curry noted lastly that information-sharing is just as important as self-assessment and supervisory oversight and he strongly recommend that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center, a non-profit information-sharing forum established by financial services industry participants to facilitate the sharing of physical and cyber threat and vulnerability information. Collaboration among banks of all sizes and non-bank providers, Curry stated, can be a “game-changer” in more ways than one.”

Read Curry’s remarks

FDIC's Advisory Committee on Community Banking Scheduled to Meet

The Federal Deposit Insurance Corporation (FDIC) has announced that its Advisory Committee on Community Banking will meet on Friday, July 10. Staff will provide an update on a number of issues, including examination frequency and offsite monitoring; call report streamlining; the cybersecurity assessment tool; and recent rulemakings. There also will be discussions about high volatility commercial real estate loans and review of banking regulations under the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA).

The meeting is open to the public and will be held from 9:00 a.m. to 3:00 p.m. EDT in the FDIC Board Room on the sixth floor of FDIC headquarters located at 550 17th Street, NW, Washington, D.C. The meeting also will be webcast live. The agenda for the meeting and a link to the webcast are available at https://www.fdic.gov/communitybanking/2015/2015-07-10_agenda.html.

Cybersecurity Assessment Tool Released

The FDIC & FFIEC have released a Cybersecurity Assessment Tool to help financial institutions with less than $1 Billion in total assets identify their cybersecurity risks and determine their preparedness. The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level. To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories: 1.)Technologies and Connection Types 2.) Delivery Channels 3.) Online/Mobile Products and Technology Services 4.) Organizational Characteristics 5.) External Threats. Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains: 1.) Cyber Risk Management and Oversight 2.) Threat Intelligence and Collaboration 3.) Cybersecurity Controls 4.) External Dependency Management 5.) Cyber Incident Management and Resilience.

Learn More About the Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Presentation View Slides (PDF) | View Video

The FDIC encourages institutions to comment on the usability of the Cybersecurity Assessment Tool, including the estimated number of hours required to complete the Assessment, through a forthcoming Federal Register Notice. FDIC-supervised institutions may direct questions on the FFIEC Cybersecurity Assessment Tool through https://fdicsurveys.co1.qualtrics.com/jfe/form/SV_4JgpIWXWB9Gjps1.

Target Settles Data Breach, are Banks Next?

On March 19, Target agreed to pay $10 million to settle a class action lawsuit brought by consumers harmed by its 2013 data breach. “The settlement strengthens the case of the banking industry which is asking Target and other retailers to cover the hundreds of millions of dollars incurred protecting their customers from losses,” said American Bankers Association President and CEO Frank Keating. “After covering consumers’ losses from its data breach, “Target should step up and cover [the banking industry’s] costs too,” he said, in a press release. “This settlement does little to address the real problem – stopping a breach before it happens. Target − and the many other retailers who have suffered recent breaches due to holes in their internal computer defenses − should be forced to do more.”

According to documents filed to the United States District Court in Minnesota this month, shoppers who were affected by the breach are eligible for damages up to $10,000 each. To claim damages, victims must prove, among other things, that unauthorized charges were made to their credit cards. They must also show that they invested time in addressing the fraudulent charges and incurred costs from correcting their credit report because of higher interest rates or fees, from replacing driver’s licenses or other forms of identification, or from hiring identity protection companies or lawyers.

Credit Union Files Class Action Suit for Data Breach

On March 13, a federal credit union filed a lawsuit against a national retailer and parent company, alleging their actions during a September 2014 data breach injured credit unions, banks, and other financial institutions. Greater Chautauqua FCU v. Kmart Corp and Sears Holdings Corp., No. 15-cv-2228, (N.D.Ill. Mar.13,2015) claimed that due to the data breach the credit union had to: (a.) cancel or reissue any credit and debit cards affected by the breach; b. close any deposit, transaction, checking, or other accounts affected by the  breach; (c.) open or reopen any deposit, transaction, checking, or other accounts affected by the breach; (d.) refund or credit any cardholder to cover the cost of any unauthorized transaction relating to the breach; (e.) respond to a higher volume of cardholder complaints, confusion, and concern; (f.) increase fraud monitoring efforts; and (g.) lose revenue as a result of a decrease in card usage after breach was disclosed. The suit claims that the credit union believes that “failure to adequately secure their data was inexcusable.” In addition, the retailer failed to detect or notify customers for a period of at least five weeks.

The lawsuit alleges damages in excess of $5,000,000 for violations of the Illinois Personal Information Protection Act, the Illinois Consumer Fraud and Deceptive Business Act, and New York General Business Law, as well as negligence, and negligent misrepresentation and/or omission.

Read the Class Action Suit.

New Cyber Threat Intelligence Integration Center Announced

On February 10, Lisa O. Monaco gave prepared remarks on behalf of the White House announcing the establishment of a new Cyber Threat Intelligence Integration Center (CTIIC) under the auspices of the Director of National Intelligence. Currently, no single government entity is responsible for producing coordinated cyber threat assessments.  The CTIIC is intended to fill this gap in  a similar function for cyber as the National Counterterrorism Center does for terrorism—integrating intelligence about cyber threats; providing all-source analysis to policymakers and operators; and supporting the work of the existing Federal government Cyber Centers, network defenders, and local law enforcement communities.  The CTIIC will not collect intelligence—it will analyze and integrate information already collected under existing authorities.

Before announcing the agency Monaco addressed the need of the agency by stating, “The range of cyber threat actors, methods of attack, targeted systems, and victims are expanding at an unprecedented clip. The pace of cyber intrusions has also ticked up substantially—annual reports of data breaches have increased roughly five-fold since 2009.  And the seriousness of those breaches is also rising, causing significant economic damage. In short, the threat is becoming more diverse, more sophisticated, and more dangerous.”

She further state, “Like counter-terrorism, meeting cyber threats requires a whole-of-government approach that uses all the appropriate tools available to us—including our global diplomacy, our economic clout, our intelligence resources, our law enforcement expertise, our competitive technological edge, and, when necessary, our military capability.” She also cautioned the private sector cannot and should not rely on the government to solve all of its cybersecurity problems. Challenging all to improve our defenses—employing better basic preventative cybersecurity, like the steps outlined in the Cybersecurity Framework announced last year.

See White House’s Remarks

OCC Highlights Key Risks Facing Banking System

The Office of the Comptroller of Currency has released their semiannual report highlighting key risk areas affecting the federal banking system. The report presents data in five main areas: the operating environment; bank condition; key risk issues; the range of practice in interest rate risk modeling; and regulatory actions. It focuses on issues that pose threats to the safety and soundness of those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners, and the public, reflecting data as of June 30, 2014. 

Specifically regarding community and midsize banks, the report identifies key risks facing community and midsize banks including:

  • High strategic risk as banks adapt their business models to respond to sluggish economic growth, low interest rates, and intense competitive pressures.
  • Properly planning for management succession and retention of key staff.
  • Erosion of underwriting standards in various loan products.
  • Expansion into loan products that require specialized risk management processes and skills, such as participations in syndicated leveraged loans.
  • Increasing exposure to IRR at banks with concentrations in long-term assets (including mortgagebacked securities [MBS] and loans) and uncertainties about the behavior of NMDs once interest rates increase.
  • Appropriate oversight of third parties vendors.
  • Increasing volume and sophistication of cyberthreats.
  • Increasing BSA/AML risk because of higher-risk services and customer relationships
  • Ensuring effective compliance management systems and staffing

The outlook for community and midsize banks includes

  • Moderate to strong loan growth, stabilizing NIM, and stronger capital ratios.
  • Suppressed mortgage-banking revenue and lower gain-on-sale margins
  • A continued search for higher-yielding assets and profitable strategic business niches.
  • Expansion into new products and services

 

Cybersecurity Assessment Observations Released

On November 3, the Federal Financial Institutions Examination Counsel (FFIEC) released its cybersecurity assessmentDuring the summer of 2014, FFIEC piloted a cybersecurity assessment at more than 500 community institutions to evaluate the institutions’ preparedness to mitigate cybersecurity risks. The assessment supplemented regularly scheduled exams and built upon key supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance.

The Cybersecurity Assessment found that the level of cybersecurity inherent risk varies
significantly across financial institutions.Today’s financial institutions are critically dependent on IT to conduct business operations. This dependence, coupled with increasing sector interconnectedness and rapidly evolving cyber threats, reinforces the need for engagement by the board of directors and senior management, including understanding the institution’s cybersecurity inherent risk; routinely discussing
cybersecurity issues in meetings; monitoring and maintaining sufficient awareness of threats and vulnerabilities; establishing and maintaining a dynamic control environment; managing connections to third parties; and developing and testing business continuity and disaster recovery plans that incorporate cyber incident scenarios. As a result, the FFIEC also recommended that financial institutions of all sizes participate in the FS-ISAC as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities. The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.

FDIC Urges Banks to Prep for Cybersecurity

On September 22, 2014 Chairman Gurenberg (FDIC) gave remarks to the American Banker Regualtory Symposium in Arlington, Virginia. Gruenberg named cybersecurity among three concerns facing the industry as banks make the transition into a period of stronger growth and increased lending. The other two are continued risks posed by a changing interest rate environment, and the need for prudent underwriting and risk management despite temptations to cut corners as loan demand rises. In his remarks he called cybersecurity an issue of “highest importance” for the FDIC and discussed the FDIC’s recent initiatives to address cybersecurity as a critical operational risk for large and small banks including: (1) A new framework for conducting IT examinations in partnership with the Federal Financial Institutions Examination Council (FFIEC), including “published standards, examination procedures, routine on-site inspections, and enforcement capability.” (2) The Cybersecurity and Critical Infrastructure Working Group, an inter-agency liaison with law enforcement to help the banking agencies share information, collaborate regarding examination policy, and coordinate responses to cybersecurity incidents. (3) The FDIC “Cyber Challenge,” an online resource designed to help community banks assess their own preparedness to address a cybersecurity incident. (4) A new requirement that community banks’ third-party technology service providers (TSPs) update their client financial institutions on any operational concerns the FDIC identifies at the TSP during an examination.

Chairman Gruenberg also emphasized “In an increasingly interconnected banking environment, Internet cyberthreats are rapidly becoming the most urgent category of technological challenges facing our banks,” he said. “The large number [of] and sophistication of cyberattacks directed at financial institutions in recent years does require a shift in thinking.” 

SEC's OCIE Cybersecurity Initiative

On March 26, 2014, the Securities and Exchange Commission (SEC) hosted a roundtable to discuss cybersecurity issues facing public companies, broker-dealers, investment advisers and other market participants. While cybersecurity has been a hot topic for the last couple of years, the SEC has provided only informal guidance to registrants and other market participants. At the roundtable, Chair Mary Jo White  emphasized the “compelling need for stronger partnerships between the government and private sector” to address cyber threats.

On April 15, 2014, SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert describing an initiative it is currently undertaking to assess cybersecurity preparedness in the securities industry. The nine-page documen contains several examples of the questions Securities and Exchange Commission examiners might ask brokerages and asset managers during inspections. According to OCIE, the examinations will focus on “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”

The SEC hopes these examinations will help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats. The sample document request is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness, regardless of whether they are included in OCIE’s examinations.