WASHINGTON Comptroller of the Currency Thomas Curry on Wednesday highlighted steps regulators are taking to mitigate one of their greatest fears: a cyber-attack on a financial institution that is so massive it destabilizes the financial system.
"There are a couple of concerns. One certainly is" that an attack at an "individual institution... could deplete capital and jeopardize [its] individual existence," Curry said, speaking to reporters. But, he added, "In the worst possible case, if there was a compromise of core systems at an institution you do have an erosion in public trust in both that institution and the system itself and that is what we are working to make as remote as possible through heightened vigilance."
One of regulators' steps to mitigate cyber threats is releasing a cybersecurity "tool" for banks to assess their own preparedness and to use as a guide for bolstering cyber defense programs. The tool, which is expected to be deployed by the end of the month, is meant more for community banks, but it could also be useful for larger banks and third-party service providers that cater to multiple institutions.
"We are looking to have a tool that can be used by all sizes of institutions, basically to have an initial step for them to make an assessment of both their risks and their ability to address those risks," Curry said. "It is really designed to be a work plan for individual institutions, which would be supplemented by, in our case, the OCC's cybersecurity examination programs," (He addressed reporters following a speech at the Financial Services Roundtable BITS Emerging Payments Forum.)
He added that cyber-readiness assessments should be a "system-wide" exercise. "That requires that every institution... take appropriate steps to make sure that they have adequate defenses given the inherent risk that they pose," Curry said.
The development of the tool follows a pilot program that was conducted last year to assess cyber-readiness at 500 community financial institutions. While the tool will be voluntary at first, experts expect it ultimately could be compulsory and results of the self-assessment could be incorporated in future exams.
Another method identified by both the industry and the regulators to defend against cyber-attacks is information-sharing. One way that institutions have done that is through the Financial Services Information Sharing and Analysis Center, a member-owned, nonprofit that is used to share information about the variety and frequency of attacks that institutions are seeing.
"When you look at something like FS-ISAC, I think that is a success story. That is an example of two-way sharing within the industry and complementary sharing with government agencies," Curry said. "That's really a key part of the defense strategy in the cyber area.... The more we can move towards real-time notifications and communications the more effective we will be."