The Office of the Comptroller of the Currency says its cybersecurity exams already include many of the same requirements New York's financial regulator recently spelled out for assessments of state-chartered banks.
In an article last week, American Banker compared New York Department of Financial Services Superintendent Benjamin Lawsky's forthcoming cybersecurity exams to the feds' exams. Lawsky has said he wants to encourage a laser-like focus on this issue by both banks and regulators.
The OCC was unable to accommodate requests for an interview before the article was published, but spoke to us afterward and staunchly defended the regulator's own examinations of banks' security defenses.
"I believe we have a laser-like focus" on cybersecurity, said Joel Anderson, the large-bank lead IT expert at the OCC. "Some of the comments from [Comptroller Thomas] Curry and our testimony before the Congress very eloquently states that that's a key issue for us."
The interagency Federal Financial Institutions Examination Council, of which the OCC is a member, has said federal regulators will conduct cybersecurity assessments that will vary in intensity, depending on the size and risk profile of the bank.
Anderson stressed, however, that all of the OCC's guidance and booklets are applicable to all sizes of institutions it supervises.
"When we look at the risks and threats and complexity that a bank offers, we have to make sure the controls and processes are sufficiently robust," he said. "There is a higher level of expectation, but all our expectations as laid out in the handbook are for all."
Many of the demands New York plans to make of banks' cybersecurity efforts, the OCC says it already makes.
For example, Empire State banks will have to provide the CV and job description of the current chief information security officer or the person filling that role as well as that person's training, experience, reporting lines and an organization chart for the IT and information security functions.
The OCC also asks for the CISO's resume and job description at the banks it examines, Anderson said. "We want to assess the roles and responsibilities associated with information security and other areas," he said. "Often that includes understanding the CISO's role, authority, level of responsibility and the effectiveness of that position."
Also like New York's examiners, the OCC reviews banks' information security policies and procedures and looks at the relationships between security and IT in the banks it supervises, Anderson said.
The New York Department of Financial Services will ask banks to describe how they use multi-factor authentication and how they test new software before putting it into practice.
The OCC issued guidance on authentication in 2005 that was updated in 2011. It doesn't specify how many layers of authentication banks need to use.
"It's a moving target," Anderson said. "Our expectations are that banks are doing assessments of the risks that are presented by the various things they're offering, and ensuring that a set of layered controls sufficiently mitigates that risk."
The regulator also looks at software testing, Anderson said. This is another area that Lawsky's document discussed in detail.
The New York exams will scrutinize banks' due diligence around third-party service providers, something the FFIEC also requires. In that vein, the OCC a year ago issued a bulletin on banks' management of third-party providers.