The Office of the Comptroller of Currency (OCC) released its semi-annual risk report on Monday, highlighting the key issues the federal banking system faces as financial institutions continue to weather the pandemic. Amid operational, credit compliance and strategic risks, the OCC cautioned banks of the evolving cyber and ransomware attacks the regulator has increasingly witnessed.
“Cyber actors continue to exploit publicly known and unaddressed software vulnerabilities against public and private sector organizations worldwide,” the OCC stated in its report.
The OCC stressed the necessity of vigilance as banks continue to expand mobile banking options and integration of third-party technology providers. The regulator suggests “robust” monitoring processes and multi-factor authentications as methods to protect consumer data.
Banks should also ensure that critical systems and records are backed up and stored in formats that are isolated from ransomware or other destructive malware attacks, the OCC stated.
Within the report, the banking regulator applauded the advancement of new technology such as real-time payment products and distributed ledger technology; however, they stated that third-party risk management continues to be an area of supervisory focus. As banks increasingly rely on third-party products to enhance customer experience, the OCC warned that third parties are just as vulnerable to cyber and security attacks.
“Supply chain risk continues to increase and evolve as attacks target vulnerabilities in software systems commonly used by large numbers of OCC supervised banks,” the OCC said. “These attacks demonstrate the importance of banks assessing the risks from their third parties, inclusive of the supply chain, and developing a comprehensive approach to operational resilience.”
On July 19, the OCC alongside the Federal Reserve and FDIC requested comment on proposed interagency guidance on third-party relationship risk management for threats associated with vendors, fintech companies, affiliates, and the banking organizations’ holding companies. By November, the same three US regulators approved a new rule that requires banks to report any “significant” cybersecurity incident within 36 hours of discovery.
Currently, each of the federal banking agencies has its own version of third-party risk management guidance, including the FDIC’s Guidance for Managing Third-Party Risk (2008), the OCC’s Third-Party Relationships: Risk Management Guidance (2013) and the Board’s Guidance on Managing Outsourcing Risk (2013).
Community banks, in particular, rely on these third-party integrations to bring legacy systems up to date, and were the highlight of the OCC’s “Special Topics” in its Fall report. According to the release, more than 80% of OCC supervised-institutions are national banks and federal savings associations with less than $15 billion in total assets (collectively, community banks).
For the OCC, these community banks serve an integral role in the U.S. economy and have persevered during the pandemic. Most community banks entered 2020 with high capital levels, strong liquidity, stable profitability and low past due loan levels, the OCC said.
“Community banks effectively weathered the economic turmoil and uncertainty created by government restrictions on activity, employee work at home, and income pressures resulting from the pandemic. Throughout this period, community banks served their communities by working with affected customers and supporting small businesses,” said the OCC.