Federal Regulators Plan Cybersecurity Assessments for Certain Banks


Federal regulators have substantially elevated cybersecurity risk assessments as yet another monitoring tool. They now view risk assessments not just as relevant to mundane IT issues but as more fundamental for assessing operational risk relevant to the safety and soundness of the entire banking institution. Indeed, in a May 7, 2014 speech, Thomas J. Curry, the Comptroller of the Currency, noted “that some of the most significant losses banks have sustained in the last several years were attributable not to the loans they made but rather to lapses in operational risk management and the ensuing legal judgments, regulatory fines and reputational damage.” 

The sophistication of cyber-attacks has increased parallel with the evolution of financial services technology over the last 30 years – from ATMs to Internet-based banking to mobile banking, all of which increase vulnerability and exposure for banks. As Curry noted, “[R]isk today, in an interconnected world, is qualitatively different – and far more difficult to manage – than it was even a few years ago.” 

As a result, the following initiatives are under way:

  1. The Federal Financial Institutions Examination Council (Council), an interagency body striving for uniformity in the principles, standards and reporting forms for federal examinations undertaken by the Board of Governors of the Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau and the National Credit Union Administration, has plans to more aggressively supervise smaller, community banks with cybersecurity vulnerability and risk-mitigation assessments through its Cybersecurity and Critical Infrastructure Working Group. These assessments will begin in late 2014.
  2. The OCC, a member of the interagency Council, has plans to do the same with certain large banks with average consolidated total assets of $50 billion or more under the Bank Service Company Act, 12 U.S.C. §1861, et seq.  The OCC released proposed guidelines on “heightened expectations for risk management, internal audit and governance in large national banks” in January, according to Curry. Comments have been received and are being evaluated. At the core, as summarized by Curry, the new proposed guidelines mandate a system to effectively “identify, measure, monitor and control risk taking,” ensure that “the board of directors has sufficient information” and “set criteria for the board’s composition and responsibilities, to ensure that boards have a minimum number of independent directors and that all board members have the information, status and authority to ensure effective oversight.”

Ultimately, the Council and the OCC recognize the increased importance of cybersecurity to financial institutions, including their oversight of connected third party business partners. Further updates will follow.

Written by:


Snell & Wilmer on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.