WASHINGTON Regulators are focusing attention on ensuring community banks have proper security systems in place in the wake of a string of cyberattacks on megabanks.
The Office of the Comptroller of the Currency hosted a webinar this week with roughly 1,000 community bankers offering a basic course on cybersecurity policies and procedures.
Though most of the information has previously been released, the outreach showed a heightened regulatory awareness of cybersecurity threats across the financial services industry.
"The OCC is committed to doing everything we can to increase awareness of the institutions we regulate and to provide appropriate guidance and supervision to enable them to protect themselves against the growing cyber threat," said Comptroller of the Currency Thomas Curry in a press release. "Through our supervisory activities and outreach efforts such as this webinar, we're working to ensure banks and thrifts are in the best position to identify operational risk, bolster their risk management systems, and ensure a safe banking system for their customers."
In a similar presentation with reporters on Wednesday, OCC officials said bankers on the agency's webinar were more concerned about examination policies and whether they needed a separate program devoted exclusively to cybersecurity.
The OCC's "answer was basically, no, a bank should not carve out cyberthreat, cybersecurity or cyberrisk as a separate program," said Norine Richards, the OCC's lead technology expert for the Western District. "It has to be integrated as part of the key processes we talked about" such as information security and vendor management.
"That's the message we really wanted to convey," she added.
OCC officials stressed that bank boards and management will be held responsible for sufficient cybersecurity policies and practices and that those must be monitored and adjusted periodically to deal with evolving threats.
"The foundation of our supervision is supervision by risk, so we are constantly evaluating from a supervisory standpoint whether their [the bank's] risk management practices are changing in a commensurate manner," said Valerie Abend, senior critical infrastructure officer at the OCC.
Cyberattacks jumped 42% last year with half of those attacks aimed at businesses with less than 2,500 employees, the OCC said. The largest growth in attacks was with businesses that had fewer than 250 employees.
Though the OCC webinar was for community banks, officials said it was not an indication that smaller banks are facing more cyberattacks or poorly managing it as compared to large banks that garner the most attack-related headlines.
"This web conference is just a part of a larger outreach that were doing across all sized banks that we supervise," Abend said. "It's really not in response to one particular event. It's really just on understanding this is a growing trend."
Regulators formed a working group last week between federal and state banking agencies on cybersecurity as threats increase. OCC officials said during the call that they are working with numerous enforcement and other agencies to create a more unified approach to address cybersecurity. They were also seeking to improve the information that banks provide to examiners within their district which are ultimately reported to Washington.
"In lieu of conversations right now and the ever changing landscape, we're going to continue to look for ways to improve that information" provided by examiners through the banks, Richards said.