Comptroller Curry Discusses Cyber Risks Related to Third-Party Service Providers

In a speech before the New England Council, Comptroller of the Currency Thomas J. Curry discussed cybersecurity, recent efforts to combat cyberattacks, and risks stemming from relationships between banks and their third-party service providers.

Echoing remarks made last month before a meeting of CES (Consumer Electronics Show) Government, Comptroller Curry mentioned three specific risks related to third-party cybersecurity: (i) the extent to which service providers are consolidating and leaving financial institutions more dependent upon a single vendor, (ii) the increased reliance by banks on outside vendors – including foreign-based subcontractors – to support critical activities, and (iii) the access that third parties have to large amounts of sensitive bank and customer data.

Comptroller Curry emphasized that he is most concerned that risk management practices may not be keeping pace with the cyber-related institutional risks being assumed. He pointed out that even well-established banks have encountered major challenges as a result of underestimating the risk in third-party relationships. He noted that, without the appropriate controls and oversight, institutions are left open to credit losses, compliance problems, litigation exposure and reputational damage.

Comptroller Curry concluded by stressing the need for collaboration by federal and state banking agencies, private sector firms, and trade associations in the effort to combat cyber threats.

See: Comptroller Curry's Speech.See also: OCC's October Guidance on Risk-Management Practices.Related News: OCC Comptroller Curry Discusses Cybersecurity (April 16, 2014).