Banks need to fill gaps in third-party cyber risk: Fed's Barr

There have historically been "gaps" in banks' efforts to manage their third-party cyber risk, according to the Federal Reserve's vice chair for supervision Michael Barr, who spoke about measuring cyber risk in financial services at a Wednesday conference.

Barr, who develops policy recommendations for regulating banks as the Fed's vice chair for supervision, said Wednesday he expects cyber threats against the financial services industry to become increasingly disruptive, highlighting ransomware and third-party risks as major threats to banks.

"Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk," Barr said. "It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard."

Barr also said that banks must take action to uncover vulnerabilities in their systems and remedy them before attacks occur, but such defense is "not sufficient."

"It is important that banks also focus on resilience to successful cyberattacks, including by developing and regularly testing business continuity plans," Barr said.

On the subject of the conference, Barr said techniques for quantifying cyber risk are "still at a nascent stage," in part because of a lack of good data, though he expects cyber incident reporting will be a part of remediating that.

Banks must comply with many security incident reporting rules already, but a law passed in 2022 that must be implemented by next year will require banks and many other companies to report certain cybersecurity incidents to the federal government within 72 hours.

Banking industry lobbyists expect the 72-hour rule to enable the Cybersecurity and Infrastructure Security Administration, which will receive the notifications, to produce reports about threat actors and provide early warning of potential attack vectors.

Other factors Barr said will help improve cyber risk quantification include insights on the interconnectedness of financial companies and service providers, which will help identify and measure the impact of incidents on the broader financial system.

"The ability to better measure cyber risk will allow banks and supervisors to improve their understanding of the direct and indirect costs of a cyber disruption," Barr said.